Patch/Configuration Management, Vulnerability Management

Third Microsoft Excel flaw found this month

A researcher has found yet another flaw in Microsoft Excel - the third since this month's Patch Tuesday security bulletin release.

According to a description of the flaw posted on, the vulnerability can be used to execute arbitrary code, according to an advisory. Researcher Debasis Mohanty was credited with discovering the flaw.

"A remote user can create an Excel file that includes a malicious Flash file embedded using the Excel Shockwave Flash Object function. When the target user opens the Excel file, the Flash code will execute automatically without user interaction. The code will run with the privileges of the target user," according to the advisory, which noted that Microsoft was notified of the flaw on May 3.

According to the advisory, Microsoft has directed users to a support document that shows how to prevent ActiveX controls from running in Internet Explorer.

A recently discovered Excel flaw was located in hlink.dll, a Windows component that handles Hyperlink operations, a week after a zero-day flaw for Excel was also discovered. Both were discovered in the week after Microsoft's security bulletin release.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.