Critical flaws found in Excel, Flash Player

FrSIRT says holes in Microsoft's spreadsheet program and Adobe's media player could allow attackers to take control of affected machines and initiate malicious commands.

IT shops that manage systems running Microsoft Excel and Adobe Systems Inc.'s Macromedia Flash Player should take precautions against new, critical security holes in those programs, the French Security Incident Response Team (FrSIRT) has warned . Attackers could exploit the flaws to take control of affected machines and launch malicious commands.

In its advisory on the Excel flaw, FrSIRT said the problem is a memory corruption error that appears "when handling or repairing a document with overly long styles." Attackers could exploit this "to execute arbitrary commands by convincing a user to open and repair a specially crafted Excel file," the firm added.

Unlike other recent Excel/Office flaws, this issue only affects Asian language (Japanese, Korean, and Chinese) versions of the product, FrSIRT said. Specifically, the problem affects Excel 2000, 2002, 2003; and Office 2000, XP and 2003.

Tuesday, Microsoft plans to patch security holes in Excel and Office. The fix is expected to address newer flaws that surfaced in the last month, including a zero-day flaw that has been actively exploited.

In its advisory on the Macromedia Flash Player flaw, FrSIRT outlined two problems:

  • Improper memory access errors that occur when malformed .swf files are processed. Attackers could exploit this to launch malicious commands by tricking a user into visiting a malicious Web page.

  • An unspecified error that occurs when malformed .swf files are handled. Attackers could exploit the flaw by using malicious Web sites to crash a Web browser linked to a vulnerable player.

    The flaws affect Macromedia Flash Player 8.0.24.0 and prior versions. The solution is to upgrade to Flash Player version 9.0.16.0.

  • Read more on IT risk management