Full Disclosure mailing list archives
Re: Microsoft Excel Embedded Shockwave Flash Object Flaw [Fix Released]
From: "Debasis Mohanty" <debasis.mohanty.listmails () gmail com>
Date: Fri, 24 Nov 2006 00:10:48 -0800
Finally MS released the fix for CVE-2006-3014 along with others - http://www.microsoft.com/technet/security/bulletin/ms06-069.mspx Regards, -d -----Original Message----- From: Ring-of-Fire () yahoogroups com [mailto:Ring-of-Fire () yahoogroups com] On Behalf Of Debasis Mohanty Sent: Friday, October 06, 2006 1:02 AM To: Ring-of-Fire () yahoogroups com Subject: [Ring-of-Fire] Re: Microsoft Excel Embedded Shockwave Flash Object Flaw [Fix Released] Though M$ has not yet released any permanent fix for this, Adobe bothered to release one before M$ rollout the fix with Office 12 - http://www.frsirt.com/english/advisories/2006/3573 regards, -d --- In Ring-of-Fire () yahoogroups com, "Debasis Mohanty" <debasis.mohanty.listmails@...> wrote:
http://hackingspirits.com/vuln-rnd/vuln-rnd.html CVE ID - CVE-2006-3014 MSRC ID - 6542sd I. DESCRIPTION Malicious Flash files with explicit java scripts can be embedded within excel spreadsheets using a "Shockwave Flash Object" which can be
made to run
once the file is opened by the user. It doesn't require user's
intervention
to activate the object rather it runs automatically once the file is
opened.
An attacker can use excel as a container to spread malicious flash files which will execute once the excel file is opened by the user. For more details refer the PoC below. Note: The same flash file does not directly run when it is
*inserted* into
the excel file as *objects*. However if it is embedded using "Shockwave Flash Object", it plays *on load* of the excel file. Here there is
no user
intervention required to trigger the flash file. It automatically
plays once
the excel file is opened. II. TESTING ENVIRONMENT This test has been performed on - Windows 2003 (SP1) Windows XP Professional Edition (SP1 / SP2) + Office 2003 Windows 2000 Professional + Office 2003 III. PROOF-OF-CONCEPT PoC details along with sample exploit file can be downloaded from - http://hackingspirits.com/vuln-rnd/vuln-rnd.html Note: Sample-xls-embed-flash.xls has been included as a demo exploit
with
some safe javascripts. IV. SOLUTION (PROVIDED BY MICROSOFT) Just like IE - Microsoft Office enforces ActiveX control kill bits
for SFI
controls. In fact the same OS kill bit infrastructure used by IE is also used in Office. To learn more about kill bits please see http://support.microsoft.com/kb/240797/EN-US/. Office XP, 2003 honor kill bits - that is if an attacker tries to instantiate a malicious control that has already had a kill bit
issued then
they will be unsuccessful. Customer may also create their own kill
bits by
reviewing the KB article listed above. We are considering making changes in upcoming version and SP's to better flag warn or control embedded controls. V. DISCLOSURE TIMELINES 03 / 05 / 2006 - Vendor reported 05 / 05 / 2006 - Vendor requested for more info 09 / 05 / 2006 - More details with a working exploit provided to vendor 11 / 05 / 2006 - Vendor confirmed the issue and requested for more time to investigate 18 / 05 / 2006 - Vendor came up with the temporary workaround 23 / 05 / 2006 - Vendor requested to get the advisory past through MSRC before public release 27 / 05 / 2006 - Vendor suggested minor changes in the advisory 27 / 05 / 2006 - Vendor requested to hold the advisory till 20th June 20 / 06 / 2006 - Vendor approved the release of advisory 20 / 06 / 2006 - Public disclosure For more details visit -
http://hackingspirits.com/vuln-rnd/vuln-rnd.html
VI. CREDITS Debasis Mohanty (aka Tr0y) www.hackingspirits.com d3basis.m0hanty@...
--------------- Moderator's Note --------------- Kindly, trim or remove un-necessary trails while replying. Keep only the necessary parts. ------------------------------------------------ Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/Ring-of-Fire/ <*> Your email settings: Individual Email | Traditional <*> To change settings online go to: http://groups.yahoo.com/group/Ring-of-Fire/join (Yahoo! ID required) <*> To change settings via email: mailto:Ring-of-Fire-digest () yahoogroups com mailto:Ring-of-Fire-fullfeatured () yahoogroups com <*> To unsubscribe from this group, send an email to: Ring-of-Fire-unsubscribe () yahoogroups com <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Microsoft Excel Embedded Shockwave Flash Object Flaw [Fix Released] Debasis Mohanty (Nov 23)