A brand new vulnerability in Excel's collection

Jun 22, 2006 08:06 GMT  ·  By

Just the third vulnerability this week but the counting still goes on. The Excel spreadsheet application is an open invitation to online attacks. The new flaw exploits the interaction of Adobe Systems Falsh technology and Excel. Flash files embedded in Excel to offer users dynamic content, graphics and animations, can be compromised to allow Remote Code Execution and represents as such a critical vulnerability.

If the malicious Flash file is inserted directly in Excel as an object it will require user interaction in order to launch. But, if it is embedded via Excel's Shockwave Flash Object function the file will execute automatically playing on load of the excel file, without requiring user intervention.

As an immediate solution to protect systems that have been confirmed as being vulnerable - Windows 2003 (SP1); Windows XP Professional Edition (SP1 / SP2) + Office 2003; Windows 2000 Professional + Office 2003 ? advanced users can stop ActiveX controls from running in Excel. The average user can limit himself to not opening excel documents that have unknown or untrustworthy sources.