Office hit by another security problem

by admin June 23, 2006 at 9:53 am

A weakness in how Office applications handle Macromedia Flash files exposes Microsoft customers to cyberattacks, experts have warned.

Flash files embedded in Office documents could run and execute code without any warning, Symantec said in an alert sent to customers on Thursday. The security issue is the third problem reported within a week that affects Microsoft Office users.

“A successful attack may allow attackers to access sensitive information and potentially execute malicious commands on a vulnerable computer,” Symantec said in the alert, which was sent to users of its DeepSight security intelligence. The vulnerability was reported by researcher Debasis Mohanty.

The issue relates to the ability to load ActiveX controls in an Office document and is not a vulnerability but an Office feature, a Microsoft representative said. “This behavior is by design and by itself does not represent a security risk to customers,” he said. An ActiveX control is a small application typically used to make Web sites more interactive.

However, Microsoft acknowledged, this functionality could be abused by an attacker to automatically load an ActiveX control on a user’s system through an Office document. Currently, Microsoft is not aware of any ActiveX controls that could allow an attacker to hijack a vulnerable PC in this way, the representative said.

Full article: ZDNet Australia