Microsoft has revealed it is working on a patch for a zero-day vulnerability in its Office Web Components, which are used for publishing spreadsheets, charts and databases to the web.
The company did not indicate when the patch would be released.
"Specifically, the vulnerability exists in the Spreadsheet ActiveX control and while we've only seen limited attacks, if exploited successfully, an attacker could gain the same user rights as the local user," said Dave Forstrom, a group manager who is part of Microsoft's Security Response Center, in a blog.
An ActiveX control is a small add-on program that works in a web browser to facilitate functions such as downloading programs or security updates. Over the years, however, the controls have been prone to vulnerabilities.
The new flaw comes as the company prepares to release its monthly patches, including one for another zero-day vulnerability revealed earlier this month. That problem lies with the Video ActiveX control within Internet Explorer.
Microsoft said that the flaw could allow an attacker to execute code remotely on a machine if someone using Internet Explorer visits a malicious website, a hacking technique known as a drive-by download
"In all cases, however, an attacker would have no way to force users to visit these web sites," Microsoft said in advisory.
"Instead, an attacker would have to persuade users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker's website."
Microsoft has issued a list of affected software, which includes Office XP Service Pack 3, 2003 Service Pack 3, several versions of Internet Security and Acceleration Server and Office Small Business Accounting 2006, among others.
Until a patch is ready, Microsoft said one option for administrators is to disable Office Web Components from running in Internet Explorer and has provided instructions on how to implement this.
Download FREE whitepapers:
Take part in PC Advisor's Broadband Survey 2009
See also: 'Conficker 2' IE bug will spread quickly