A weakness in how Office applications handle Macromedia Flash files exposes Microsoft customers to cyberattacks, experts have warned.
Flash files embedded in Office documents could run and execute code without any warning, Symantec said in an alert sent to customers on Thursday. The security issue is the third problem reported within a week that affects Microsoft Office users.
"A successful attack may allow attackers to access sensitive information and potentially execute malicious commands on a vulnerable computer," Symantec said in the alert, which was sent to users of its DeepSight security intelligence. The vulnerability was reported by researcher Debasis Mohanty.
The issue relates to the ability to load ActiveX controls in an Office document and is not a vulnerability but an Office feature, a Microsoft representative said. "This behavior is by design and by itself does not represent a security risk to customers," he said. An ActiveX control is a small application typically used to make Web sites more interactive.
However, Microsoft acknowledged, this functionality could be abused by an attacker to automatically load an ActiveX control on a user's system through an Office document. Currently, Microsoft is not aware of any ActiveX controls that could allow an attacker to hijack a vulnerable PC in this way, the representative said.
"Microsoft will continue to investigate the public reports to help provide additional guidance for customers as necessary," he said. If any vulnerable ActiveX controls are found, it is possible to prevent execution in recent versions of Office by setting a so-called "killbit" for these controls, according to Microsoft.
The ActiveX issue is the third security problem related to Office to surface within in a week. On Tuesday, Microsoft confirmed that a flaw related to a Windows component called "hlink.dll" could be exploited by crafting a malicious Excel file. Late last week, Microsoft said a flaw in Excel was being exploited in at least one targeted cyberattack.
To exploit either one of the new security issues, an attacker would need to craft a malicious file and host that file on a Web site, send it via e-mail, or otherwise provide it to the intended victim. The attempt can be successful only if the file is opened on a vulnerable PC.
The problems come on the heels of Microsoft's "Patch Tuesday" batch of security updates. Last week, Microsoft released 12 patches that addressed 21 vulnerabilities in various products, including Office applications. The company has said it is working on a patch for the first new Excel flaw.
In order to post a comment you need to be registered and logged in
Log in or create your ZDNet UK account below
By signing up for this service, you indicate that you agree to our Terms and Conditions and have read and understood our Privacy Policy. Questions about membership? Find the answers in the Membership FAQ
Please give me chance in the vodafone essar Ltd as back office executive
55 minutes ago by sudipta_vodafone on Vodafone culls 375 'mainly back-office' jobs I want to get a back office job in vodafone direct payroll
56 minutes ago by sudipta_vodafone on Vodafone culls 375 'mainly back-office' jobs
I also find it harder to use. It used to scale properly in Firefox. Text would size up and down without dragging all the right edge debris with it....
5 hours ago by Xwindowsjunkie on ZDNet UK: faster, smarter, still IT all the way
that comment bot is a nutter, it just referred me to the moderator on my own blog. shocked look. please help thank you Dava I'm afriad to...
8 hours ago by dava4444 on Welcome to the new ZDNet UK community! Hi Rupert! Don't think I could fill the above shoes... but if your ever looking for a consumer rights Tech blogger..tip me the wink lol peace Dava
9 hours ago by dava4444 on Fancy working for ZDNet UK? Hi Rupert My photo is gone from my profile and I just got told i was a spammer by the comment bot. the navigation is gone for my profile. :O on...
9 hours ago by dava4444 on Welcome to the new ZDNet UK community!
With windows it is always more bloat, and a lot of that seems to be duplicated in various places. I've noticed that you will have freed space on...
15 hours ago by ator1940 on Can you believe it - 2765 kB will be freed?
Buzz My Stat : New search for http://www.zdnet.co.uk Take a look: http://www.buzzmystat.com/site/zdnet.co.uk
19 hours ago on Twitter by BuzzMyStat
Hi Jamie, I'm sorry your comment got caught in the spam filter. We use an industry standard blacklist for this. I suspect that the comment may...
24 hours ago by Karen Friar on Spam? Filter Changed?
Pop - Neither have I. Ever, under any circumstances. I'm much more accustomed to Windows slowly, but inexorably, consuming more and more disk...
1 day ago by J.A. Watson on Can you believe it - 2765 kB will be freed?
Apple are currently pushing to get tv content on the iPad by April 3rd. This could possibly be seen as a spoiler for that announcement I suppose....
2 days ago by John Molloy
Hey - presume you mean something that builds on Apple's existing TV device? Apple have already had a couple of runs at building Apple TV and it's...
2 days ago by Andrew Donoghue on Google's TV timing may reveal more to come
Google, Sony, Intel may build TV project www.zdnet.co.uk/news/emerging-tech/2010/03/18/google-sony-intel-may-build-tv-project-40088359/
2 days ago on Twitter by BVE2011 70,0000 to 90,0000 computers? A very small number considering some of these botnets are in the millions, and there are so many of them operating,...
2 days ago by ator1940 on Microsoft says it decimated Waledac botnet I agree Roger, and why can't they write secure code? What will happen when they find stolen code in windows? They have a track record of...
2 days ago by ator1940 on Microsoft lashing out at Linux, open source Do you think it will really take days?
2 days ago by ator1940 on Microsoft previews Internet Explorer 9 with HTML 5 support Wonder how many days it will take before somebody codes an exploitive hack for IE9?
2 days ago by Xwindowsjunkie on Microsoft previews Internet Explorer 9 with HTML 5 support
There are some really good people in Microsoft and I wonder, how embarassing it must be for them to see how the organisation behaves from it's...
3 days ago by roger andre on Microsoft lashing out at Linux, open source On further inspection, it looks like some things are missing, is it possible that there was a time lag between whatever state the site was in that...
3 days ago by J.A. Watson on Welcome to the new ZDNet UK community!For multi-store outlets, including retail, banking, grocery, gas, hospitality, convenience stores and others, reducing (or avoiding) the cost of in-store system support and maintenance while maintaining compliance with PCI and other requirements has become a strategic challenge.
Speaker: Dr. Chenxi Wang, Principal Analyst, Security and Risk Management, Forrester Research, Inc. As Enterprises are increasingly connected to the Internet and as hard organizational boundaries are fast disappearing, security professionals are facing fresh challenges in Enterprise computing.
This tutorial is for new MindManager users and teaches you how to get started, by creating maps, reading maps and organizing your information.
Talkback
You would think that M$ could understand that ACTIVE-X is a problem, not a solution, and would be trying to rectify the situation by removing problem from all software.
26 Jun 06 13:28 Reply