Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   Microsoft Excel Vendors:   Microsoft
Microsoft Excel 'Shockwave Flash Object' Lets Remote Users Execute Code Automatically
SecurityTracker Alert ID:  1016344
SecurityTracker URL:
CVE Reference:   CVE-2006-3014   (Links to External Site)
Date:  Jun 20 2006
Impact:   Execution of arbitrary code via network, User access via network
Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in Microsoft Excel. A remote user can cause arbitrary code to be executed on the target user's system.

A remote user can create an Excel file that includes a malicious Flash file embedded using the Excel 'Shockwave Flash Object' function. When the target user opens the Excel file, the Flash code will execute automatically without user interaction. The code will run with the privileges of the target user.

The vendor was notified on May 3, 2006.

Debasis Mohanty (aka Tr0y) discovered this vulnerability.

The original advisory, including a demonstration exploit, is available at:

Impact:   A remote user can create a file that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution:   No solution was available at the time of this entry.

Microsoft indicates that customers can set ActiveX control kill bits to prevent the observed behavior. Information on setting kill bits is available at:

Vendor URL: (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Sep 12 2006 (Adobe Issues Fix) Microsoft Excel 'Shockwave Flash Object' Lets Remote Users Execute Code Automatically
Adobe has issued a fix for Adobe Flash Player.
Nov 14 2006 (Microsoft Issues Fix) Microsoft Excel 'Shockwave Flash Object' Lets Remote Users Execute Code Automatically
Microsoft has issued a fix for Windows XP SP2.

 Source Message Contents

Subject:  [Full-disclosure] Microsoft Excel File Embedded Shockwave Flash

CVE ID - CVE-2006-3014
MSRC ID - 6542sd

Malicious Flash files with explicit java scripts can be embedded within
excel spreadsheets using a "Shockwave Flash Object" which can be made to run
once the file is opened by the user. It doesn't require user's intervention
to activate the object rather it runs automatically once the file is opened.

An attacker can use excel as a container to spread malicious flash files
which will execute once the excel file is opened by the user. For more
details refer the PoC below. 

Note: The same flash file does not directly run when it is *inserted* into
the excel file as *objects*. However if it is embedded using "Shockwave
Flash Object", it plays *on load* of the excel file. Here there is no user
intervention required to trigger the flash file. It automatically plays once
the excel file is opened.

This test has been performed on -
Windows 2003 (SP1) 
Windows XP Professional Edition (SP1 / SP2) + Office 2003
Windows 2000 Professional + Office 2003

PoC details along with sample exploit file can be downloaded from -

Note: Sample-xls-embed-flash.xls has been included as a demo exploit with
some safe javascripts.

Just like IE - Microsoft Office enforces ActiveX control kill bits for SFI
controls. In fact the same OS kill bit infrastructure used by IE is also
used in Office. To learn more about kill bits please see 

Office XP, 2003 honor kill bits - that is if an attacker tries to
instantiate a malicious control that has already had a kill bit issued then
they will be unsuccessful. Customer may also create their own kill bits by
reviewing the KB article listed above.

We are considering making changes in upcoming version and SP's to better
flag warn or control embedded controls.

03 / 05 / 2006 - 	Vendor reported
05 / 05 / 2006 -	Vendor requested for more info
09 / 05 / 2006 - 	More details with a working exploit provided to
11 / 05 / 2006 -	Vendor confirmed the issue and requested for more
time to investigate
18 / 05 / 2006 -	Vendor came up with the temporary workaround
23 / 05 / 2006 -	Vendor requested to get the advisory past through
MSRC before public release
27 / 05 / 2006 -	Vendor suggested minor changes in the advisory
27 / 05 / 2006 -	Vendor requested to hold the advisory till 20th June
20 / 06 / 2006 -	Vendor approved the release of advisory
20 / 06 / 2006 -	Public disclosure

For more details visit -

Debasis Mohanty (aka Tr0y)

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC