Office hit by another
security problem
Attackers could commandeer a vulnerable computer by embedding a malicious Flash
file in an Office document.
Thu
Jun 22
Office hit by another security problem
By Joris Evers
Staff Writer, CNET News.com
Published: June 22, 2006, 6:45 PM PDT
A weakness in how Office
applications handle Macromedia Flash files exposes Microsoft customers to
cyberattacks, experts have warned.
Flash files embedded in Office
documents could run and execute code without any warning, Symantec said in an
alert sent to customers on Thursday. The security issue is the third problem
reported within a week that affects Microsoft Office users.
"A successful attack may allow
attackers to access sensitive information and potentially execute malicious
commands on a vulnerable computer," Symantec said in the alert, which was
sent to users of its DeepSight security intelligence. The vulnerability was reported by researcher
Debasis Mohanty.
The issue relates to the ability to
load ActiveX controls in an Office document and is not a vulnerability but an
Office feature, a Microsoft representative said. "This behavior is by
design and by itself does not represent a security risk to customers," he
said. An ActiveX control is a small application typically used to make Web
sites more interactive.
However, Microsoft acknowledged,
this functionality could be abused by an attacker to automatically load an
ActiveX control on a user's system through an Office document. Currently,
Microsoft is not aware of any ActiveX controls that could allow an attacker to
hijack a vulnerable PC in this way, the representative said.
"Microsoft will continue to
investigate the public reports to help provide additional guidance for
customers as necessary," he said. If any vulnerable ActiveX controls are
found, it is possible to prevent execution in recent versions of Office by
setting a so-called "killbit" for these controls, according to
Microsoft.
The ActiveX issue is the third
security problem related to Office to surface within in a week. On Tuesday,
Microsoft confirmed that a flaw related to a
Windows component called "hlink.dll" could be exploited by
crafting a malicious Excel file.
Late last week, Microsoft said a flaw in Excel was being
exploited in at least one targeted cyberattack.
To exploit either one of the new
security issues, an attacker would need to craft a malicious file and host that
file on a Web site, send it via e-mail, or otherwise provide it to the intended
victim. The attempt can be successful only if the file is opened on a
vulnerable PC.
The problems come on the heels of
Microsoft's "Patch Tuesday" batch of security updates. Last week,
Microsoft released 12 patches that addressed 21
vulnerabilities in various products, including Office applications.
The company has said it is working on a patch for the first new Excel flaw.