Researchers have discovered a vulnerability in Microsoft Excel, one of the most widely used productivity programs in the corporate world, that could let attackers take over a user’s system and remotely launch malware.
The flaw, found by the team at Mimecast, lies in the Power Query tool, which lets users integrate spreadsheets with external databases, text documents and Web pages. If exploited by attackers, it can also launch sophisticated, hard-to-detect attacks.
“Using Power Query, attackers could embed malicious content in a separate data source, and then load the content into the spreadsheet when it is opened,” the company said. The malicious code could be used to drop and execute malware that can compromise the user’s machine.”
Microsoft has not issued a fix for the vulnerability at this time, but did release an advisory document for users, offering a workaround to beef up security.
The vulnerability is based upon a method called Dynamic Data Exchange (DDE). Attacks using this method are common, but this one is notable because it gives intruders administrative privileges.
“Because Power Query is a powerful tool within Microsoft Excel, the potential threat for abusing the feature is great,” said Mimecast. “Using the potential weakness in Power Query, attackers could potentially embed any malicious payload that as designed won’t be saved inside the document itself but downloaded from the web when the document is opened.”
More must-read stories from Fortune:
—The fall and rise of VR: The struggle to make virtual reality get real
—“It’s just lazy”: Current’s CEO on Facebook Calibra’s similar logo
—Slack went public without an IPO. Here’s how a direct offering works
—Welcome to the next generation of corporate phishing scams
—Listen to our new audio briefing, Fortune 500 Daily
Catch up with Data Sheet, Fortune‘s daily digest on the business of tech.
