Office hit by another security problem

Attackers could commandeer a vulnerable computer by embedding a malicious Flash file in an Office document.

Joris Evers Staff Writer, CNET News.com

Joris Evers covers security.

Joris Evers

June 23, 2006 5:13 a.m. PT

2 min read

A weakness in how Office applications handle Macromedia Flash files exposes Microsoft customers to cyberattacks, experts have warned.

Flash files embedded in Office documents could run and execute code without any warning, Symantec said in an alert sent to customers on Thursday. The security issue is the third problem reported within a week that affects Microsoft Office users.

"A successful attack may allow attackers to access sensitive information and potentially execute malicious commands on a vulnerable computer," Symantec said in the alert, which was sent to users of its DeepSight security intelligence. The vulnerability was reported by researcher Debasis Mohanty.

The issue relates to the ability to load ActiveX controls in an Office document and is not a vulnerability but an Office feature, a Microsoft representative said. "This behavior is by design and by itself does not represent a security risk to customers," he said. An ActiveX control is a small application typically used to make Web sites more interactive.

However, Microsoft acknowledged, this functionality could be abused by an attacker to automatically load an ActiveX control on a user's system through an Office document. Currently, Microsoft is not aware of any ActiveX controls that could allow an attacker to hijack a vulnerable PC in this way, the representative said.

"Microsoft will continue to investigate the public reports to help provide additional guidance for customers as necessary," he said. If any vulnerable ActiveX controls are found, it is possible to prevent execution in recent versions of Office by setting a so-called "killbit" for these controls, according to Microsoft.

The ActiveX issue is the third security problem related to Office to surface within in a week. On Tuesday, Microsoft confirmed that a flaw related to a Windows component called "hlink.dll" could be exploited by crafting a malicious Excel file. Late last week, Microsoft said a flaw in Excel was being exploited in at least one targeted cyberattack.

To exploit either one of the new security issues, an attacker would need to craft a malicious file and host that file on a Web site, send it via e-mail, or otherwise provide it to the intended victim. The attempt can be successful only if the file is opened on a vulnerable PC.

The problems come on the heels of Microsoft's "Patch Tuesday" batch of security updates. Last week, Microsoft released 12 patches that addressed 21 vulnerabilities in various products, including Office applications. The company has said it is working on a patch for the first new Excel flaw.