Microsoft Excel 'Shockwave Flash Object' Lets Remote Users Execute Code Automatically
SecurityTracker Alert ID: 1016344|
SecurityTracker URL: http://securitytracker.com/id/1016344
(Links to External Site)
Date: Jun 20 2006
Execution of arbitrary code via network, User access via network|
Vendor Confirmed: Yes |
A vulnerability was reported in Microsoft Excel. A remote user can cause arbitrary code to be executed on the target user's system.|
A remote user can create an Excel file that includes a malicious Flash file embedded using the Excel 'Shockwave Flash Object' function. When the target user opens the Excel file, the Flash code will execute automatically without user interaction. The code will run with the privileges of the target user.
The vendor was notified on May 3, 2006.
Debasis Mohanty (aka Tr0y) discovered this vulnerability.
The original advisory, including a demonstration exploit, is available at:
A remote user can create a file that, when loaded by the target user, will execute arbitrary code on the target user's system.|
No solution was available at the time of this entry.|
Microsoft indicates that customers can set ActiveX control kill bits to prevent the observed behavior. Information on setting kill bits is available at:
Vendor URL: www.microsoft.com/ (Links to External Site)
|Underlying OS: Windows (Any)|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Subject: [Full-disclosure] Microsoft Excel File Embedded Shockwave Flash|
CVE ID - CVE-2006-3014
MSRC ID - 6542sd
Malicious Flash files with explicit java scripts can be embedded within
excel spreadsheets using a "Shockwave Flash Object" which can be made to run
once the file is opened by the user. It doesn't require user's intervention
to activate the object rather it runs automatically once the file is opened.
An attacker can use excel as a container to spread malicious flash files
which will execute once the excel file is opened by the user. For more
details refer the PoC below.
Note: The same flash file does not directly run when it is *inserted* into
the excel file as *objects*. However if it is embedded using "Shockwave
Flash Object", it plays *on load* of the excel file. Here there is no user
intervention required to trigger the flash file. It automatically plays once
the excel file is opened.
II. TESTING ENVIRONMENT
This test has been performed on -
Windows 2003 (SP1)
Windows XP Professional Edition (SP1 / SP2) + Office 2003
Windows 2000 Professional + Office 2003
PoC details along with sample exploit file can be downloaded from -
Note: Sample-xls-embed-flash.xls has been included as a demo exploit with
IV. SOLUTION (PROVIDED BY MICROSOFT)
Just like IE - Microsoft Office enforces ActiveX control kill bits for SFI
controls. In fact the same OS kill bit infrastructure used by IE is also
used in Office. To learn more about kill bits please see
Office XP, 2003 honor kill bits - that is if an attacker tries to
instantiate a malicious control that has already had a kill bit issued then
they will be unsuccessful. Customer may also create their own kill bits by
reviewing the KB article listed above.
We are considering making changes in upcoming version and SP's to better
flag warn or control embedded controls.
V. DISCLOSURE TIMELINES
03 / 05 / 2006 - Vendor reported
05 / 05 / 2006 - Vendor requested for more info
09 / 05 / 2006 - More details with a working exploit provided to
11 / 05 / 2006 - Vendor confirmed the issue and requested for more
time to investigate
18 / 05 / 2006 - Vendor came up with the temporary workaround
23 / 05 / 2006 - Vendor requested to get the advisory past through
MSRC before public release
27 / 05 / 2006 - Vendor suggested minor changes in the advisory
27 / 05 / 2006 - Vendor requested to hold the advisory till 20th June
20 / 06 / 2006 - Vendor approved the release of advisory
20 / 06 / 2006 - Public disclosure
For more details visit - http://hackingspirits.com/vuln-rnd/vuln-rnd.html
Debasis Mohanty (aka Tr0y)
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/