This vulnerability, related to the CALL function of Excel, allows an
attacker to send an HTML e-mail or modify a HTML web page so that when
accessed, the HTML page will automatically launch Excel and use that
to run any program. This allows the attacker to do pretty much
anything he wants on the host machine.
This attack is not widespread and no real-world incidents have been
The problem has been partially solved by Microsoft by releasing patch
for Excel 97 (this patch will disable the CALL command completely).
Excel 95 can't be protected by this time.
Netscape and Internet Explorer can also be secured against this attack
by updating to the latest version with latest patches. This does not
prevent some attacks through HTML e-mail though.
F-Secure Anti-Virus detects Excel files with embedded harmful CALL
commands and will protect the user against this type of attack.
[By Mikko Hypponen, F-Secure]