On CBS MoneyWatch: The Dumbest Generation: Who Is It?
BNET Business Network:
BNET
TechRepublic
ZDNet
149 TalkBacks

By Joris Evers
Posted on ZDNet News: Jun 23, 2006 1:45:00 AM

A weakness in how Office applications handle Macromedia Flash files exposes Microsoft customers to cyberattacks, experts have warned.

Flash files embedded in Office documents could run and execute code without any warning, Symantec said in an alert sent to customers on Thursday. The security issue is the third problem reported within a week that affects Microsoft Office users.

"A successful attack may allow attackers to access sensitive information and potentially execute malicious commands on a vulnerable computer," Symantec said in the alert, which was sent to users of its DeepSight security intelligence. The vulnerability was reported by researcher Debasis Mohanty.

The issue relates to the ability to load ActiveX controls in an Office document and is not a vulnerability but an Office feature, a Microsoft representative said. "This behavior is by design and by itself does not represent a security risk to customers," he said. An ActiveX control is a small application typically used to make Web sites more interactive.

However, Microsoft acknowledged, this functionality could be abused by an attacker to automatically load an ActiveX control on a user's system through an Office document. Currently, Microsoft is not aware of any ActiveX controls that could allow an attacker to hijack a vulnerable PC in this way, the representative said.

"Microsoft will continue to investigate the public reports to help provide additional guidance for customers as necessary," he said. If any vulnerable ActiveX controls are found, it is possible to prevent execution in recent versions of Office by setting a so-called "killbit" for these controls, according to Microsoft.

The ActiveX issue is the third security problem related to Office to surface within in a week. On Tuesday, Microsoft confirmed that a flaw related to a Windows component called "hlink.dll" could be exploited by crafting a malicious Excel file. Late last week, Microsoft said a flaw in Excel was being exploited in at least one targeted cyberattack.

To exploit either one of the new security issues, an attacker would need to craft a malicious file and host that file on a Web site, send it via e-mail, or otherwise provide it to the intended victim. The attempt can be successful only if the file is opened on a vulnerable PC.

The problems come on the heels of Microsoft's "Patch Tuesday" batch of security updates. Last week, Microsoft released 12 patches that addressed 21 vulnerabilities in various products, including Office applications. The company has said it is working on a patch for the first new Excel flaw.

SponsoredWhite Papers, Webcasts, and Downloads

  • Talkback
  • Most Recent of 149 Talkback(s)
Milky! Busy boy!
NT (Read the rest)
Posted by: Cayble Posted on: 06/27/06 You are currently: a Guest | | Terms of Use
Good one MS  Richard Flude | 06/22/06
Stolen Thunder  bidemytime | 06/23/06
Not a vulnerability, it's a feature!  jinko | 06/23/06
I hope nobody's waiting for a patch for this.  Mr. Roboto | 06/22/06
Office hit by another security problem .  I'm Ye, the MS SHILL . | 06/22/06
The patch is alread available!! It works great, fixes this and other  DonnieBoy | 06/23/06
And children don't forget to use Mozilla Firefox to get the patch .  I'm Ye, the MS SHILL . | 06/23/06
Sorry - a downgrade fixes nothing  Confused by religion | 06/23/06
Yes, after upgrading to the version without the problems, you will NEVER  DonnieBoy | 06/23/06
What does a downgrade fix...  Confused by religion | 06/23/06
You are right, hard to get work done with MS Office when you are so busy  DonnieBoy | 06/23/06
Sorry - Open Office may be a winner in your mind  Confused by religion | 06/23/06
The smart people that need to get work done are switching to OpenOffice.  DonnieBoy | 06/23/06
Correction...  kb1493 | 06/23/06
The compatibility problems between versions of MS Office are just  DonnieBoy | 06/23/06
Not an open version of MS Office  tim.rachel | 06/23/06
Didn't you hear??? OpenOffice now supercedes MS Office, and further  DonnieBoy | 06/23/06
Wrong  kb1493 | 06/26/06
Open Office Sucks  tim.rachel | 06/23/06
Millions have tried MS Office and it SUUUUCKS.  DonnieBoy | 06/23/06
Office Doesn't Suck...  ju1ce | 06/23/06
Well, expensive and lots of security problems, in my book, that SUUUUCKS!!!  DonnieBoy | 06/23/06
I agree domponents exactly.  tim.rachel | 06/23/06
Message has been deleted.  I'm Ye, the MS SHILL . | 06/23/06
Message has been deleted.  tim.rachel | 06/23/06
Message has been deleted.  mypl8s4u2 | 06/24/06
Message has been deleted.  I'm Ye, the MS SHILL . | 06/25/06
But it introduces other problems  kb1493 | 06/23/06
But, with world-wide savings in the billions per year, it will be well  DonnieBoy | 06/23/06
That it does  tim.rachel | 06/23/06
Those thousands of lines of vba are a security nightmare, not to mention  DonnieBoy | 06/23/06
Vulnerable?  tim.rachel | 06/24/06
The majority is the problem ....  bportlock | 06/24/06
speaking of compatibility  mypl8s4u2 | 06/25/06
Compatibity  Bob G Beechey | 06/25/06
seems as the MS Shills are hiding in the woodwork .  Intellihence | 06/23/06
They are probably too busy downloading the patch at:  DonnieBoy | 06/23/06
au contraire!  lovvvvie | 06/23/06
Open, as in the sense ...  bportlock | 06/23/06
It's hard to argue....  bportlock | 06/23/06
What happens if  Michael Kelly | 06/23/06
Thus sayeth the raven ....  Linux_4u! | 06/23/06
That's not a quote  Michael Kelly | 06/23/06
Mr. Michael Kelly this is a  I'm Ye, the MS SHILL . | 06/23/06
Thank you  Michael Kelly | 06/23/06
Yo dude  Intellihence | 06/23/06
There is a patch available right now. Go to this site:  DonnieBoy | 06/23/06
Ya see folks .  I'm Ye, the MS SHILL . | 06/23/06
Sorry but as much as I like  Linux Guy 1000 | 06/23/06
You should get any data in Access format converted as soon as possible.  DonnieBoy | 06/23/06
You'll need a front end to that  Michael Kelly | 06/23/06
No some of the apps are  Linux Guy 1000 | 06/23/06
Ditto.  htotten | 06/23/06
The thing about Access  Michael Kelly | 06/23/06
Access 2003 still supports most Acc97 dbs  corticus | 06/23/06
RE: Access 2003 still supports most Acc97 dbs  Michael Kelly | 06/23/06
Not an option.  Linux Guy 1000 | 06/23/06
Access format?  htotten | 06/23/06
Access...  Spikey_Mike | 06/23/06
As I said earlier  Linux Guy 1000 | 06/23/06
The tables are easy  Michael Kelly | 06/23/06
You painted yourself into a corner .  I'm Ye, the MS SHILL . | 06/23/06
Access only  mypl8s4u2 | 06/25/06
Misinformation  Boot_Agnostic | 06/23/06
I have to side with Microsoft on this one  znewt | 06/23/06
By Design != Good  rpmyers1 | 06/23/06
Nice analogy, but....  dragontiger | 06/23/06
It already does  kb1493 | 06/23/06
Great POst  tim.rachel | 06/23/06
Active X was roundly condemned when it was launched  mike@... | 06/23/06
Rubbish!  lovvvvie | 06/23/06
I see your rubish!, and raise you a WTF  moto1968 | 06/23/06
Pay attention!  lovvvvie | 06/23/06
LOL  mobrien_12@... | 06/23/06
Very easy to fix  LuckyCharm | 06/25/06
10+ ... hilarious and a fish!  LoCal | 06/23/06
more like....  mypl8s4u2 | 06/25/06
SAY WHAT?!...  BigThunder1 | 06/27/06
That doesn't mean nothing should be done about it  Michael Kelly | 06/23/06
Ten years of "It's not Microsoft"...  Resuna | 06/23/06
Why MS would pro-actively do the right thing, if nobody demands accountabi-  michael_t | 06/23/06
Yuk, yuk, yuk  Chad_z | 06/23/06
Another security problem?  bitfuzzy | 06/23/06
Real Issue: MS entering security SW business  moto1968 | 06/23/06
What I'd like to know is  bitfuzzy | 06/23/06
Bridge for sale  mypl8s4u2 | 06/25/06
MS windWoes + Woeffice : cannot be secured ...  michael_t | 06/23/06
backward engineering  mypl8s4u2 | 06/25/06
How bad does it have to get?  cls@... | 06/23/06
Now were talking .  I'm Ye, the MS SHILL . | 06/23/06
And, with ODF, we are going to see a lot of inovation by other little  DonnieBoy | 06/23/06
i.e., who said that you have no reason to uy the "next" MSO ? wink  michael_t | 06/23/06
the premise is  mypl8s4u2 | 06/25/06
The great news would be:  jolumoar | 06/23/06
What may be needed  never_be_read | 06/23/06
Someone call Spongebob  Shelendrea | 06/23/06
I'll blame Microsoft Mountain 100% on all the insecurities .  I'm Ye, the MS SHILL . | 06/23/06
Not Really Anyone to Blame  Unnamed | 06/23/06
Well I'll be .  Intellihence | 06/23/06
Exactly, the people who do not DEMAND their moneys' worth in quality from  michael_t | 06/23/06
Milky! Busy boy!  Cayble | 06/27/06
What is there Office that's still good?  critic-at-arms | 06/23/06
will the Bleeding ever stop?  rupaa62 | 06/23/06
A few years ago I stated  Intellihence | 06/23/06
...didn't Alchin (?) tells Bill the same thing ?  Castanet | 06/23/06
Time to talk to the penguin  IceTheNet@... | 06/23/06
On a scale of 1 to 10  I'm Ye, the MS SHILL . | 06/23/06
Access  corticus | 06/23/06
Close to Access  aallord | 06/23/06
"Access" ... what an apt name! :-D (n.t.)  Castanet | 06/23/06
Pure Microsoft.  msdead | 06/23/06
ditto  ligeia | 06/23/06
A Oxymoron "Microsoft" and "Security Update"  rupaa62 | 06/23/06
Should indicate  not of this world | 06/24/06
MS offfic hit  ligeia | 06/23/06
Yet another choice from the Open Source Movement .  I'm Ye, the MS SHILL . | 06/23/06
Good grief, why would anyone want Flash in  No_Ax_to_Grind | 06/23/06
Here lemme grind that axe .  I'm Ye, the MS SHILL . | 06/23/06
Wnat Flash? Buwahahahahaha  No_Ax_to_Grind | 06/23/06
And ....  Linux_4u! | 06/23/06
Rich, that  Yagotta B. Kidding | 06/23/06
You hit the nail on the head. Users do not want or need most of the garbage  DonnieBoy | 06/23/06
True, they want WMV.  No_Ax_to_Grind | 06/23/06
Market share  Yagotta B. Kidding | 06/23/06
I agree, but  Michael Kelly | 06/23/06
YOU were saying that MSO apps are "superior" to OO beacuse of  michael_t | 06/23/06
No one needs Flash...  No_Ax_to_Grind | 06/23/06
Shows what I know...  Michael Kelly | 06/23/06
Erm...  zkiwi | 06/23/06
WTF do you need WMV in an office <ocument...  Boomslang | 06/25/06
And here just a few days ago  Yagotta B. Kidding | 06/23/06
welcome to No_axe business 101  Monkey_MCSE | 06/23/06
Anti-virus Vendors want your Dollars  andyfran@... | 06/23/06
At least they have a good track record .  I'm Ye, the MS SHILL . | 06/23/06
Microsoft Like Apple...  Ediseye | 06/23/06
Well they do have something like that .  I'm Ye, the MS SHILL . | 06/23/06
security...  xiaodre | 06/23/06
Apple ROCKS !  I'm Ye, the MS SHILL . | 06/23/06
Apple copies Microsoft's security holes...  Resuna | 06/23/06
What Apple should have done with Safari  I'm Ye, the MS SHILL . | 06/23/06
It's not a bug, it's a feature.  Resuna | 06/23/06
Talk to the Lotus blossom  Boot_Agnostic | 06/23/06
MSFT wireless network runs on Linux  Chad_z | 06/23/06
OpenOffice is the only choice  Boot_Agnostic | 06/23/06
the number one survival strategy is  Castanet | 06/23/06
obeymeiamarobot is right on track  ligeia | 06/24/06
ps  ligeia | 06/24/06
But wait........  mypl8s4u2 | 06/24/06
Is Microsoft...  Boomslang | 06/24/06

What do you think?

advertisement
advertisement

White Papers, Webcasts, and Downloads

  • Smart Tech Expert advice on innovations in healthcare and the green technologies that make it happen. Find out more
  • Smart Business Discussion and advice on management issues that revolve around making your world smarter and more useful. More Smart Advice
  • Smart People The best and worst moves in the management and strategy trenches. Learn More