According to a description of the flaw posted on SecurityTracker.com, the vulnerability can be used to execute arbitrary code, according to an advisory. Researcher Debasis Mohanty was credited with discovering the flaw.
"A remote user can create an Excel file that includes a malicious Flash file embedded using the Excel Shockwave Flash Object function. When the target user opens the Excel file, the Flash code will execute automatically without user interaction. The code will run with the privileges of the target user," according to the advisory, which noted that Microsoft was notified of the flaw on May 3.
According to the advisory, Microsoft has directed users to a support document that shows how to prevent ActiveX controls from running in Internet Explorer.
A recently discovered Excel flaw was located in hlink.dll, a Windows component that handles Hyperlink operations, a week after a zero-day flaw for Excel was also discovered. Both were discovered in the week after Microsoft's security bulletin release.