IT shops that manage systems running Microsoft Excel and Adobe
Systems Inc.'s Macromedia Flash Player should take precautions
against new, critical security holes in those programs, the French
Security Incident Response Team (FrSIRT) has warned . Attackers
could exploit the flaws to take control of affected machines and
launch malicious commands.
In its
advisory on the Excel flaw, FrSIRT said the
problem is a memory corruption error that appears "when handling or
repairing a document with overly long styles." Attackers could
exploit this "to execute arbitrary commands by convincing a user to
open and repair a specially crafted Excel file," the firm
added.
Unlike other recent Excel/Office flaws, this issue only affects
Asian language (Japanese, Korean, and Chinese) versions of the
product, FrSIRT said. Specifically, the problem affects Excel 2000,
2002, 2003; and Office 2000, XP and 2003.
Tuesday,
Microsoft plans to patch security holes in Excel
and Office. The fix is expected to address
newer flaws that surfaced in the last month,
including a zero-day flaw that has been actively exploited.
In its
advisory on the Macromedia Flash Player flaw,
FrSIRT outlined two problems:
- Improper memory access errors that occur when malformed .swf
files are processed. Attackers could exploit this to launch
malicious commands by tricking a user into visiting a malicious Web
page.
- An unspecified error that occurs when malformed .swf files are
handled. Attackers could exploit the flaw by using malicious Web
sites to crash a Web browser linked to a vulnerable
player.
The flaws affect Macromedia Flash Player 8.0.24.0 and prior
versions. The solution is to
upgrade to Flash Player version 9.0.16.0.