New Microsoft Office Flaw Emerges

Symantec warned customers Thursday of a new flaw discovered within Microsoft Office that could potentially execute code without any evidence of a break-in. The problem centers around how the software handles embedded Flash files, according to an advisory.

Researcher Debasis Mohanty reported the vulnerability to the Full-Disclosure mailing list on Tuesday. "Malicious Flash files with explicit java scripts can be embedded within Excel spreadsheets using a "Shockwave Flash Object" which can be made to run once the file is opened by the user," he wrote.

Microsoft disputes that the root of the problem is a vulnerability itself. The flaw makes use of Office's capability to run ActiveX controls within documents. The Redmond company says Office was designed this way, claiming the issue is not a security risk.

However, it is clear that this feature can be used for malicious purposes. Microsoft was not personally aware of any ActiveX controls that are able to take control of PC using this method, but the company will continue its investigation and provide additional information if need be.

Using something called a "kill bit" could prevent the control from loading. "If an attacker tries to instantiate a malicious control that has already had a kill bit issued then they will be unsuccessful," Mohanty explained.

Additionally, users could create their own kill bits by following instructions from Microsoft.