Microsoft warned Tuesday that hackers are exploiting a vulnerability in numerous versions of Excel. Opening a malicious Excel document compromises the user’s machine and allows hackers to execute remote code.

Microsoft said the risk is “limited” since the malicious code has not been widely disseminated. “At this time, we are aware only of targeted attacks that attempt to use this vulnerability,” Microsoft Security Advisory 947563 said.

The vulnerability affects Microsoft Office Excel 2003 Service Pack 2, Microsoft Office Excel Viewer 2003, Microsoft Office Excel 2002, Microsoft Office Excel 2000 and Microsoft Excel 2004 for the Macintosh.

To Patch or Not to Patch?

The company has not decided whether to issue a patch for the vulnerability, the advisory said. It added, “Microsoft is investigating the public reports and customer impact. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.”

Microsoft describes two attack vectors for the vulnerability: an e-mail attack and a web-based attack. The company downplayed the significance of both.

A web-based attack would require a hacker to host the malicious Excel file on a Web site and convince a victim to open it, Microsoft said.

“An attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or an Instant Messenger message that takes users to the attacker’s site,” the company said.

“For an [e-mail] attack to be successful, a user must open an attachment that is sent in an e-mail message,” the advisory added. Security blogger Larry Dignan noted, “This is no comfort to me, since…