Experts Warn of Critical Vulnerability in Macromedia Flash Handling that Poses Attack Risks to Users
Embedded Flash files within MS Office documents could run or execute code without users being aware.
This security issue is the third related to the Microsoft Office suite discovered within just one week.
If successfully exploited, this vulnerability could allow attackers to access sensitive information and execute malicious code on the compromised system, Symantec confirmed in a warning issued to its customers.
Researcher Debasis Mohanty discovered this security flaw. However, this issue pertains to the ability to load ActiveX controls from Office files, rather than being a security flaw arising from the application suite’s features. ActiveX is a small application designed to enhance the compatibility of web pages.
“The method of handling Macromedia Flash files in terms of design and the feature itself does not place users at risk of attack,” a Microsoft representative stated.
However, Microsoft also confirmed that this vulnerability could be exploited by hackers to automatically run an ActiveX on users’ systems via an Office file. Currently, Microsoft has not reported any instances where ActiveX has allowed hackers to breach compromised PCs through this method.
“Microsoft will continue to investigate further information on this issue to provide necessary guidance to customers,” the representative assured.
The ActiveX-related issue marks the third security concern associated with Office identified in just a week. Recently, Microsoft acknowledged a security flaw related to a Windows component “hlink.dll” that could be exploited by creating a malicious Excel file. The week before, another vulnerability in Excel was exploited to attack users.
To exploit the new security vulnerabilities in Office, an attacker needs to create a dangerous file and host it online, send it via email, or deliver it to victims. Only when the user opens that file is the attack considered successful.
Most security flaws are discovered shortly after Microsoft releases its monthly security patches.
Hoang Dung
