Three vulnerabilities were identified in Microsoft Excel recently. The worst of them, in which a specially-crafted flash video can be inserted into a spreadsheet to remotely compromise a computer, doesn’t even require that the user click on anything. All they have to do is open the Excel file from an email attachment and their system is compromised. Excel spreadsheets can even be embedded into web pages, which allows for yet another attack vector.
The other two Excel vulnerabilities were found less than a week earlier. One exploited Excel’s apparent inability to successfully handle long URLs, and the other was a targeted attack that Microsoft has barely commented on. We expect all of these holes will be patched by Microsoft in their upcoming monthly security update. Until then you should handle unknown excel documents as if they could very well be infected with a virus.