IT Security, Data Management, Server Software , VOIP
	TW (All Sites) TW News & Features InformationWeek InternetWeek Network Computing CommWeb Intelligent Enterprise Advanced IP Pipeline Biz Intel Pipeline Compliance Pipeline Desktop Pipeline Database Pipeline Developer Pipeline Database Pipeline Enterprise Apps Pipeline IT Utility Pipeline Linux Pipeline Messaging Pipeline Mobile Pipeline IT Architect Networking Pipeline Outsourcing Pipeline Security Pipeline Server Pipeline Small Business Pipeline Storage Pipeline Sys Mgmt Pipeline SOA Pipeline Windows Magazine Microsites White Papers Optimize Government Enterprise Financial Technology Transform Magazine advanced

	June 22, 2006 (1:40 PM EDT)
	Researcher Finds Third Zero-Day Excel Flaw By Gregg Keizer, TechWeb Technology News Another unpatched flaw in Excel has surfaced, a security company said Thursday, making the bug the third in the last week. The new vulnerability, said Cupertino, Calif.-based Symantec in an alert to enterprise customers, will let attackers execute Flash files along with JavaScript that run when Excel opens. According to Symantec's alert, an attacker could embed malicious Flash files into an Excel worksheet using the application's "Shockwave Flash Object" functionality. "The Shockwave Flash object executes when the document is opened," said Symantec. The attacker can definitely get malicious JavaScript code to run by sticking it within a Flash file, which uses the .swf extension. It may also be possible, added Symantec, that depending on the version of Flash on the PC, to execute arbitrary commands from the .swf file directly. By the document posted to the Security Tracker Web site by the original researcher, it appears that Microsoft responded to his query and offered up a temporary workaround. "Just like IE - Microsoft Office enforces ActiveX control kill bits for SFI controls," read the Microsoft workaround. "In fact the same OS kill bit infrastructure used by IE is also used in Office. Office XP, 2003 honor kill bits - that is if an attacker tries to instantiate a malicious control that has already had a kill bit issued then they will be unsuccessful." Microsoft referred the researcher to a document on its support site that outlines how to set "kill bits" in the Windows registry to deflect active content attacks. In the past, Microsoft has frequently told users to set kill bits as a stop-gap defense. Symantec advised users to set the associated kill bit, and to filter Excel files at e-mail gateways. Two other Excel bugs have gone public since last Thursday; the first, an unidentified vulnerability that was actually exploited in a targeted attack, appeared last week. A second flaw, this time in how Windows handles long URLs within Excel, was disclosed Tuesday. Email This Story Print This Story Reprint This Story Tag in Del.icio.us Digg Technology News More TechWeb News Bookmark this site!    Try TechWeb's RSS Feed! (Note: The feed delivers stories from TechWeb.com only, not the entire TechWeb Network.) Today's Edition: Thursday, June 22nd, 2006   Indentity, Security, Intelligence try our podcast Interested in getting an electronic copy of a News Show episode? Contact Terry Wilmot at 1-800-682-4972 Ex. 7081 SECURITY WHITE PAPERS AND REPORTS Plugging Information Leaks: Why Email Compliance and Encryption Cannot Be Ignored This free, 90-minute Webcast features Paul Stamp, Forrester Research's security expert ,and IT executives from Albany Medical Center,HSBC and CipherTrust, who will discuss best practices for ensuring outbound messaging security and compliance with corporate policies and key government regulations such as HIPAA, GLBA and SOX. Centralizing Security: Why Unified Security Architecture is the Best Defense Today, organizations are challenged with creating a new security management model that weaves disparate security elements into a single, centralized security architecture that is easy to install, easy to manage, and easy on the budget. With threats and other security risks increasing every day, the best defense is unified security architecture. Common Sense Security Auditing AS/400 provides a plethora of options when it comes to auditing security-related events. This article provides a simple game plan for configuring your OS/400 security auditing so that you can begin to see, and manage, what's really happening on your system, and learn more about the system auditing options. KVM Switch: Dominion Series Security Whitepaper - Understanding the Security Implications of Deploying KVM Over IP As enterprise data centers consider deploying a KVM-over-IP approach to server management, in which a network-accessible KVM infrastructure replaces traditional cabled KVM functionality, an entirely new set of security issues and concerns must be addressed by solution providers. More like this >>			TechSearch for more articles on: Microsoft Excel Spreadsheet Flash IE Malicious JavaScript Security Tracker Zero-day Patch Unpatched Symantec Shockwave .swf Office Kill Bits VIEW ALL BRIEFING CENTERS VA Offers Free Credit Monitoring To Breach Victims MySpace Adds Protections For Minors Expert Urges Individuals To Press For Privacy And Security Rival Calls Microsoft's Security Pricing 'Predatory,' 'Ruthless' Nine Indicted In Skimming Scheme: $1 Million In Losses Firefox, iTunes, Skype Top Most Dangerous List Advertisement TechWeb:  InformationWeek |  InternetWeek |  Network Computing |  IT Architect |  Optimize Magazine  |  The TechWeb Pipelines | Financial Technology Network |  Wall Street & Technology |  Bank Systems & Technology |  Insurance & Technology |  CommWeb |  IT Pro Downloads |  Secure Enterprise |  Intelligent Enterprise Pipelines:  Business Intelligence |  Compliance |  Desktop |  Linux |  Messaging |  Networking |  Personal Tech |  Server |  Small Business |  SOA |  Systems Management   Crush the competition with the latest news from TechWeb's collection of essential e-mail newsletters. Get definitions for more than 20,000 IT terms. Editorial and vendor perspectives   FEATURED TOPIC ADDITIONAL TOPICS Search jobs on TechCareers Keyword(s): Function: Information Technology Engineering State: Post Your Resume |  Employers Area Most recent post:

		TECHWEB MARKETPLACE (Sponsored Links)
		Trend Micro Enterprise Anti-Spyware Solutions "Trend Micro is delivering what enterprise customers want." -The Forrester WAVE/Enterprise Anti-Spyware, Q1 2006/Forrester 2006. Download a FREE 30-day trial of Trend Micro Anti-Spyware Solutions for Enterprise Today. Network & Application Performance doc downloads Free white papers, buyers guide, application notes, industry articles, and more. NetScout's nGenius Solution provides network performance management and application monitoring for complex enterprise networks. EMC's 15-min. Guide to Document & Image Processing Find out - in just 15 minutes - how you can create, manage, deliver, and archive documents that drive your business operations, while meeting compliance requirements. Learn how you can benefit from EMC's document and image processing solutions today. Endpoint Protection Stop known and unknown threats, now! Protect managed and unmanaged hosts New Webcast:Reduce the Risk of Lost or Stolen Data Hundreds of thousands of laptops are lost or stolen each year leaving companies exposed to serious risk. Hear from a featured Gartner analyst and the world's largest tax preparation company on protecting critical data. Click here to view the webcast. Buy a Link Now

Free NewslettersTechEncyclopediaTechCalendarOpinionResearchCareers & WorkplaceWebcastsAbout UsContact UsSite Map Mobile Tech NewsSoftware Tech NewsSecurity Tech NewsE-Business Tech NewsManagement Tech NewsNetworking Tech NewsHardware Tech News
InformationWeekInternetWeekNetwork ComputingIT ArchitectOptimize Magazine Financial Technology NetworkWall Street & Technology Bank Systems & TechnologyInsurance & TechnologyCommWebIT Pro DownloadsSecure EnterpriseIntelligent Enterprise Business Intelligence PipelineCompliance PipelineDesktop PipelineLinux PipelineMessaging PipelineNetworking Pipeline Personal Tech PipelineServer PipelineSmall Business PipelineSOA PipelineSystems Management PipelineThe TechWeb Pipelines Byte and SwitchDark ReadingLight ReadingUnstrung

Media Kit  |  Copyright © 2006  CMP Media LLC  |  Privacy Statement  |  Your California Privacy Rights  |   Feedback