June 22, 2006 6:45 PM PDT

Office hit by another security problem

A weakness in how Office applications handle Macromedia Flash files exposes Microsoft customers to cyberattacks, experts have warned.

Flash files embedded in Office documents could run and execute code without any warning, Symantec said in an alert sent to customers on Thursday. The security issue is the third problem reported within a week that affects Microsoft Office users.

"A successful attack may allow attackers to access sensitive information and potentially execute malicious commands on a vulnerable computer," Symantec said in the alert, which was sent to users of its DeepSight security intelligence. The vulnerability was reported by researcher Debasis Mohanty.

The issue relates to the ability to load ActiveX controls in an Office document and is not a vulnerability but an Office feature, a Microsoft representative said. "This behavior is by design and by itself does not represent a security risk to customers," he said. An ActiveX control is a small application typically used to make Web sites more interactive.

However, Microsoft acknowledged, this functionality could be abused by an attacker to automatically load an ActiveX control on a user's system through an Office document. Currently, Microsoft is not aware of any ActiveX controls that could allow an attacker to hijack a vulnerable PC in this way, the representative said.

"Microsoft will continue to investigate the public reports to help provide additional guidance for customers as necessary," he said. If any vulnerable ActiveX controls are found, it is possible to prevent execution in recent versions of Office by setting a so-called "killbit" for these controls, according to Microsoft.

The ActiveX issue is the third security problem related to Office to surface within in a week. On Tuesday, Microsoft confirmed that a flaw related to a Windows component called "hlink.dll" could be exploited by crafting a malicious Excel file. Late last week, Microsoft said a flaw in Excel was being exploited in at least one targeted cyberattack.

To exploit either one of the new security issues, an attacker would need to craft a malicious file and host that file on a Web site, send it via e-mail, or otherwise provide it to the intended victim. The attempt can be successful only if the file is opened on a vulnerable PC.

The problems come on the heels of Microsoft's "Patch Tuesday" batch of security updates. Last week, Microsoft released 12 patches that addressed 21 vulnerabilities in various products, including Office applications. The company has said it is working on a patch for the first new Excel flaw.

See more CNET content tagged:
ActiveX Control, security problem, Microsoft Office, attacker, cyberattack

16 comments

Join the conversation!
Add your comment
Time for class action lawsuit (And Apple to sell MacOSX separately)
First it's clear that after about 20 high profile vulnerabilities announced in just the last 2 weeks against Windows and Office, that MS needs to be sued by EVERY SINGLE COMPUTER OWNER for selling defective software.

Before you say "it's not MS that is doing bad things, it's bad people who do bad things"....Think of a bank knowingly having a bad lock, or a window (no pun intended) breakage sensor that is bad because they were too cheap to invest in a better one. If someone breaks in and steals your stuff from the deposit box, you can bet that bank would be liable and would be sued if they didn't compensate you for your loss.

MS needs to be sued out of existance. It's already happening on a small basis (EU in particular) but needs to happen on a much larger basis before EVERYONE in the world has their identity stolen thanks to Windows and Office.

And now, Mr. Steve Jobs, would be an EXCELLENT time for you to break away from your past and sell your operating system separate from your hardware. Your sales would go through the roof! Even if ONLY IPOD owners purchased it (which I'm willing to bet 50%+ would), that would be enough to unseat Windows after only a few years.

Think of it... Apple could take out Microsoft *AND* any chance of Google competing with one simple step. SELL YOUR OS SEPARATELY!!!!

And they could easily charge $400 for it vs the $200 for Windows and there would be tons of people willing to pay that (look at the IPOD comapred to the MP3/WMA clones). There would be no need to sell hardware, but they still could customize it.

Think about it.... MS Stock would plummet to $10 the day after the announcement, guarenteed.
Posted by Anon-Y-mous (124 comments )
Reply Link Flag
We're halfway there
With Boot Camp, Parallels and the Intel Mac line being completed soon, Apple is halfway there.
<a class="jive-link-external" href="http://www.techknowcafe.com/content/view/527/42/" target="_newWindow">http://www.techknowcafe.com/content/view/527/42/</a>
Posted by (156 comments )
Link Flag
Apple?
Apple? Secure? The Apple who had 31 vulnerabilities, most of which all arbitrary code execution?

<a class="jive-link-external" href="http://www.frsirt.com/english/advisories/2006/1779" target="_newWindow">http://www.frsirt.com/english/advisories/2006/1779</a>

Most of the recent Windows vulnerabilites need user interaction - you need to download a malicious office document from the web.

Most of the Apple ones are exploitable without user intervention.

Have you sued Apple?
Posted by NotParker (19 comments )
Link Flag
Apple? Hundreds of vulnerabilities!
<a class="jive-link-external" href="http://www.frsirt.com/english/vendor/229" target="_newWindow">http://www.frsirt.com/english/vendor/229</a>

Notice the word "multiple" multiple times!

Yuck. What an insecure OS!
Posted by NotParker (19 comments )
Link Flag
My appologies...
Hope you don't take this too personally:

<a class="jive-link-external" href="http://www.albinoblacksheep.com/flash/apple.php" target="_newWindow">http://www.albinoblacksheep.com/flash/apple.php</a>
Posted by Johnny Mnemonic (374 comments )
Link Flag
Time for openoffice.org ?
Time to give that office suite a try. It has pretty much everything you need. Bugs WILL be found and patched sooner. Free too!

KM
Posted by kieranmullen (1070 comments )
Reply Link Flag
It Is About "Time" that....
... Open Office's "Calc" and Microsoft Office's "Excel" return the "feathers" that were borrowed from Lotus SmartSuite's "Lotus 1-2-3" since they are both not up to the job of flying "very high" in the dynamic "internet" age in which the world is revolving today... just take the example of the story on this CNET NEWS site Re: "Boeing evaluating fate of in-flight Net service" which states in part, "The company is evaluating Connexion to assess what's best for both the business and our customers," Boeing spokesman John Dern said."; the question is - whose "tools" (90% market share's or Open Office's) are they evaluating with! This article also states ""We know we have a useful product, but we're trying to determine how good a business we have," he said." an easy answer for Microsoft and Boeing - Open Source the "products"!

<a class="jive-link-external" href="http://news.cbsi.com/Boeing+evaluating+fate+of+in-flight+Net+service/2100-1034_3-6087222.html?tag=nefd.top" target="_newWindow">http://news.cbsi.com/Boeing+evaluating+fate+of+in-flight+Net+service/2100-1034_3-6087222.html?tag=nefd.top</a>
Posted by Captain_Spock (894 comments )
Link Flag
Report it like it should be:
Incorrect:

&gt;&gt;&gt;not a vulnerability but an Office feature&lt;&lt;&lt;

Correct:

An vulnerable Office feature!

It is vulnerable and thus one cannot go around saying not a vulnerability when in fact it is... it also just so happens to be a feature.

But then so are oodles of other security weaknesses in Microsoft products... they're all features which are full of bugs, vulnerabilities and other kinds of security weaknesses.

Walt
Posted by wbenton (522 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.