Ancient Excel bug comes out of retirement for active attacks
- Reference: 1776253565
- News link: https://www.theregister.co.uk/2026/04/15/excel_exploit/
- Source link:
CISA confirmed shortly after Microsoft rolled out 165 patches on April 14 that CVE-2009-0238 (9.3), first published on February 24, 2009, was being abused in active attacks.
It added the bug to its [1]Known Exploited Vulnerability (KEV) catalog and set a two-week deadline for federal civilian executive branch (FCEB) agencies to patch – one week less than they usually get.
[2]
CISA did not reveal much about how the Excel vulnerability is being exploited, nor by whom or for what purpose, as is often the case with its KEV publications.
[3]
[4]
However, its description of CVE-2009-0238 is unchanged from Microsoft's initial advisory. We know that it's a remote code execution (RCE) issue that attackers can trigger by convincing victims to open a specially crafted Excel document that "includes a malformed object."
Microsoft notified the community and issued a fix for CVE-2009-0238 when it was first discovered being exploited by Trojan.Mdropper.AC, a loader used to deliver other malware in follow-on attacks.
[5]
It affects the following versions:
Microsoft Office Excel 2000 SP3, 2002 SP3, 2003 SP3, and 2007 SP1
Excel Viewer 2003 Gold and SP3
Excel Viewer
Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1
Excel in Microsoft Office 2004 and 2008 for Mac
"An attacker who successfully exploited these vulnerabilities could take complete control of an affected system," Microsoft said in an [6]advisory at the time of its initial disclosure in 2009.
[7]Microsoft's massive Patch Tuesday: It's raining bugs
[8]Microsoft yanks Windows 11 preview update after install failures
[9]Microsoft breaks Microsoft account sign-ins in Windows 11 with latest update
[10]Unknown attackers exploit yet another critical SharePoint bug
"An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."
Joining CVE-2009-0238 in CISA's KEV catalog was a far more recent vulnerability, one that was addressed in [11]this week's Patch Tuesday – CVE-2026-32201 (6.5).
The SharePoint Server spoofing flaw was exploited as a zero-day, Microsoft confirmed in its [12]advisory . It did not say who was behind it, however.
The flaw exists because of improper input validation, allowing attackers to spoof data over a network. Successful exploits can give attackers access to sensitive information and the ability to alter disclosed information.
[13]
As Mike Walters, president and co-founder of patch management provider Action1, told The Register this week: "By exploiting this flaw, an attacker can manipulate how information is presented to users, potentially tricking them into trusting malicious content."
Walters added that the vulnerability could feasibly be used as part of phishing campaigns or other forms of social engineering attacks.
"The flaw lets attackers fake trust at scale: what looks legitimate may actually be a carefully crafted deception. It can be used to deceive employees, partners, or customers by presenting falsified information within trusted SharePoint environments." ®
Get our [14]Tech Resources
[1] https://www.theregister.com/2026/02/03/greynoise_cisa_ransomware_gripe/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ad-2IYhH16w0eRv6PrzgswAAAxU&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ad-2IYhH16w0eRv6PrzgswAAAxU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ad-2IYhH16w0eRv6PrzgswAAAxU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ad-2IYhH16w0eRv6PrzgswAAAxU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://learn.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-009
[7] https://www.theregister.com/2026/04/14/microsofts_massive_patch_tuesday/
[8] https://www.theregister.com/2026/03/30/microsoft_faulty_windows_update/
[9] https://www.theregister.com/2026/03/20/microsoft_account_not_working_have/
[10] https://www.theregister.com/2026/03/19/unknown_attackers_exploit_yet_another/
[11] https://www.theregister.com/2026/04/14/microsofts_massive_patch_tuesday/
[12] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32201
[13] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ad-2IYhH16w0eRv6PrzgswAAAxU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[14] https://whitepapers.theregister.com/
Re: How is this Working these Days?
Sadly these days it is not a choice between "patch and be secure, don't patch and don't be secure".
It is a choice between, "which is going to fuck our systems up the most - not patching and be vulnerable, or patch and have systems crippled by Microsoft's utterly shite code?"
Re: How is this Working these Days?
The answers to this question are several, and complicated.
Excel is an application. In theory, an application run as a non-privileged user should not allow you privilege to change the system it's running on. Sadly this hasn't been the case for some versions of Windows.
Secondly, these versions of Excel were a one-time purchase ("Hey! I bought it, why shouldn't I still run it"), so if you have the media, it does what you need, and it still runs, you can install it on later versions of Windows. Whether you can patch such an old version of Excel any more is more of an issue, as it could be that back in 2009, you patched it, but installing it from initial install media on more recent systems may put old, unpatched versions on new systems without having the ability to install any patches, because they've dropped off the Microsoft patch sites.
Upgrading to a newer version of Excel will cost money, and may need you to join the subscription service.
And lastly, at one time Microsoft allowed people to instal software they used at work or college on personal systems without additional licenses. How many of these personal systems are now still being used outside of the original license exemptions, and thus won't be patched under any circumstance?
Going forward, expect Microsoft to try to identify and disable old and/or rogue Office installations to try to prevent any of the above situations.
This is why you should always use Excel offline no matter what Microsoft says.
Attack vector
Once again the attack vector is that the user downloads and opens a malicious file.
Should be easily [?] avoided by the use of common sense in not downloading or opening suspicious files.
I have a cheap and disposable Linux machine which I use for opening anything that I'm not sure about. TBH If I don't recognise the sender as someone that I have business with then it goes to the Linux box until verified.
confused
"t can be used to deceive employees, partners, or customers by presenting falsified information within trusted SharePoint environments"
Who trusts any SharePoint environment / instance?
I have seen some awful software over the decades & SharePoint is "up" amongst the worst products I have had to use.
How is this Working these Days?
Are people just not patching?