Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Researcher Finds Third Zero-Day Excel Flaw

Another unpatched flaw in Excel has surfaced, a security company said Thursday, making the bug the third in the last week.

The new vulnerability, said Cupertino, Calif.-based Symantec in an alert to enterprise customers, will let attackers execute Flash files along with JavaScript that run when Excel opens.

According to Symantec's alert, an attacker could embed malicious Flash files into an Excel worksheet using the application's "Shockwave Flash Object" functionality. "The Shockwave Flash object executes when the document is opened," said Symantec.

The attacker can definitely get malicious JavaScript code to run by sticking it within a Flash file, which uses the .swf extension. It may also be possible, added Symantec, that depending on the version of Flash on the PC, to execute arbitrary commands from the .swf file directly.

By the document posted to the Security Tracker Web site by the original researcher, it appears that Microsoft responded to his query and offered up a temporary workaround.

  • 1