Researcher Finds Third Zero-Day Excel Flaw

Another unpatched flaw in Excel has surfaced, a security company said Thursday, making the bug the third in the last week.

The new vulnerability, said Cupertino, Calif.-based Symantec in an alert to enterprise customers, will let attackers execute Flash files along with JavaScript that run when Excel opens.

According to Symantec's alert, an attacker could embed malicious Flash files into an Excel worksheet using the application's "Shockwave Flash Object" functionality. "The Shockwave Flash object executes when the document is opened," said Symantec.

The attacker can definitely get malicious JavaScript code to run by sticking it within a Flash file, which uses the .swf extension. It may also be possible, added Symantec, that depending on the version of Flash on the PC, to execute arbitrary commands from the .swf file directly.

By the document posted to the Security Tracker Web site by the original researcher, it appears that Microsoft responded to his query and offered up a temporary workaround."Just like IE - Microsoft Office enforces ActiveX control kill bits for SFI controls," read the Microsoft workaround. "In fact the same OS kill bit infrastructure used by IE is also used in Office. Office XP, 2003 honor kill bits - that is if an attacker tries to instantiate a malicious control that has already had a kill bit issued then they will be unsuccessful."

Microsoft referred the researcher to a document on its support site that outlines how to set "kill bits" in the Windows registry to deflect active content attacks. In the past, Microsoft has frequently told users to set kill bits as a stop-gap defense.

Symantec advised users to set the associated kill bit, and to filter Excel files at e-mail gateways.

Two other Excel bugs have gone public since last Thursday; the first, an unidentified vulnerability that was actually exploited in a targeted attack, appeared last week. A second flaw, this time in how Windows handles long URLs within Excel, was disclosed Tuesday.