Ancient Excel bug comes out of retirement for active attacks

While Microsoft was rolling out its bumper Patch Tuesday updates this week, US cybersecurity agency CISA was readying an alert about a 17-year-old critical Excel flaw now under exploit.

CISA confirmed shortly after Microsoft rolled out 165 patches on April 14 that CVE-2009-0238 (9.3), first published on February 24, 2009, was being abused in active attacks.

It added the bug to its Known Exploited Vulnerability (KEV) catalog and set a two-week deadline for federal civilian executive branch (FCEB) agencies to patch – one week less than they usually get.

CISA did not reveal much about how the Excel vulnerability is being exploited, nor by whom or for what purpose, as is often the case with its KEV publications.

However, its description of CVE-2009-0238 is unchanged from Microsoft's initial advisory. We know that it's a remote code execution (RCE) issue that attackers can trigger by convincing victims to open ...