RSSNew Microsoft Office Flaw Emerges
By Ed Oswald | Published June 23, 2006, 12:29 PM
Symantec warned customers Thursday of a new flaw discovered within Microsoft Office that could potentially execute code without any evidence of a break-in. The problem centers around how the software handles embedded Flash files, according to an advisory.
Researcher Debasis Mohanty reported the vulnerability to the Full-Disclosure mailing list on Tuesday. "Malicious Flash files with explicit java scripts can be embedded within Excel spreadsheets using a "Shockwave Flash Object" which can be made to run once the file is opened by the user," he wrote.
Microsoft disputes that the root of the problem is a vulnerability itself. The flaw makes use of Office's capability to run ActiveX controls within documents. The Redmond company says Office was designed this way, claiming the issue is not a security risk.
However, it is clear that this feature can be used for malicious purposes. Microsoft was not personally aware of any ActiveX controls that are able to take control of PC using this method, but the company will continue its investigation and provide additional information if need be.
Using something called a "kill bit" could prevent the control from loading. "If an attacker tries to instantiate a malicious control that has already had a kill bit issued then they will be unsuccessful," Mohanty explained.
Additionally, users could create their own kill bits by following instructions from Microsoft.
are you serious? I get it, you are just another MS basher.
This so call Google spreadsheet is a joke. If you just want to do basic math functions, it will be fine. In fact, it can do nothing else other than basic math functions. It's a pure garbage at this stage, and it will probably takes years to have any meaning to it.
Score: 0
|OpenOffice.org: 1
Microsoft Office: -1,000,000,000,000,000
Score: 0
|???
Score: 0
|Am I shocked at the myriad fundamental problems with MS products? Heck no! In fact, considering the fundamental use of ActiveX and other fundamentally and fatally flawed technologies, I ASSUME it!
But is reporting EVERY security alert as a news item warranted? This is like watching the TV news and receiving intimate coverage of every car accident and playground scraped knee and fight!
If people subscribe to an anti-virus product and are registered users of a product, they are reasonably assured that such issues will be addressed - or to put it another way, unless the flaw is exceedingly critical, they are not in a position to do much to resolve the issue (barring not using it) until the vendor or a reputable 3rd party issues a fix!
So, with all due respect, and the usual degree of earned disrespect for the sloppy programming model employed by MS (and far too many others!), the making of headlines with each and every MS buffer overflow or exception mis-handling is a bit anal and not news!
Move on!
Score: 0
|another MS product "flaw" requires user intervention.
Score: 0
|I never even heard of embedding flash into an office document. Not sure why one would do it either, other than to exploit this. Not that the feature shouldn't be possible, but I have read that the more secure programming is, the less user friendly it is. In other words, fixing this flaw (who's ever flaw it is) will likely cause legit uses to not function anymore.
Score: 0
|indeed.
i love excel partly because of its extensibility and its programmability. u can really do some very powerful stuff with it.
Score: 0
|Weeeeeeeeeeee
Score: 0
|"Microsoft was not personally aware of any ActiveX controls that were malicious in nature"
I find this statement a bit strange...
Score: 0
|Just covering their a** as always.....
Score: 0
|could potentially
!=does. My foot could end up in your ass. Doesn't mean it will, or does.
can be made
!=has been made. A plate of french fries with chocolate chips, whipped cream, and a cherry on top can be made. Does not mean it has been, or ever will be.
once the file is opened by the user
Requires user intervention. Duh?
Pretty much sums it up.
Flame on, boys and girls. :)
Score: 0
|PC_Tool = tool. Nuff said.
Score: -1
|Bwaahahaaa!!!
That was funny. I've never heard that one before....
Score: 0
|