Finally MS released the fix for CVE-2006-3014 along with others - http://www.microsoft.com/technet/security/bulletin/ms06-069.mspx
Regards, -d -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Debasis Mohanty Sent: Friday, October 06, 2006 1:02 AM To: [EMAIL PROTECTED] Subject: [Ring-of-Fire] Re: Microsoft Excel Embedded Shockwave Flash Object Flaw [Fix Released] Though M$ has not yet released any permanent fix for this, Adobe bothered to release one before M$ rollout the fix with Office 12 - http://www.frsirt.com/english/advisories/2006/3573 regards, -d --- In [EMAIL PROTECTED], "Debasis Mohanty" <[EMAIL PROTECTED]> wrote: > > http://hackingspirits.com/vuln-rnd/vuln-rnd.html > > CVE ID - CVE-2006-3014 > MSRC ID - 6542sd > > I. DESCRIPTION > Malicious Flash files with explicit java scripts can be embedded > within excel spreadsheets using a "Shockwave Flash Object" which can > be made to run > once the file is opened by the user. It doesn't require user's intervention > to activate the object rather it runs automatically once the file is opened. > > > An attacker can use excel as a container to spread malicious flash > files which will execute once the excel file is opened by the user. > For more details refer the PoC below. > > Note: The same flash file does not directly run when it is *inserted* into > the excel file as *objects*. However if it is embedded using > "Shockwave Flash Object", it plays *on load* of the excel file. Here > there is no user > intervention required to trigger the flash file. It automatically plays once > the excel file is opened. > > > II. TESTING ENVIRONMENT > This test has been performed on - > Windows 2003 (SP1) > Windows XP Professional Edition (SP1 / SP2) + Office 2003 Windows 2000 > Professional + Office 2003 > > > III. PROOF-OF-CONCEPT > PoC details along with sample exploit file can be downloaded from - > http://hackingspirits.com/vuln-rnd/vuln-rnd.html > > > Note: Sample-xls-embed-flash.xls has been included as a demo exploit with > some safe javascripts. > > > IV. SOLUTION (PROVIDED BY MICROSOFT) > Just like IE - Microsoft Office enforces ActiveX control kill bits for SFI > controls. In fact the same OS kill bit infrastructure used by IE is > also used in Office. To learn more about kill bits please see > http://support.microsoft.com/kb/240797/EN-US/. > > Office XP, 2003 honor kill bits - that is if an attacker tries to > instantiate a malicious control that has already had a kill bit issued then > they will be unsuccessful. Customer may also create their own kill bits by > reviewing the KB article listed above. > > We are considering making changes in upcoming version and SP's to > better flag warn or control embedded controls. > > > V. DISCLOSURE TIMELINES > 03 / 05 / 2006 - Vendor reported > 05 / 05 / 2006 - Vendor requested for more info > 09 / 05 / 2006 - More details with a working exploit provided to > vendor > 11 / 05 / 2006 - Vendor confirmed the issue and requested for more > time to investigate > 18 / 05 / 2006 - Vendor came up with the temporary workaround > 23 / 05 / 2006 - Vendor requested to get the advisory past through > MSRC before public release > 27 / 05 / 2006 - Vendor suggested minor changes in the advisory > 27 / 05 / 2006 - Vendor requested to hold the advisory till 20th June > 20 / 06 / 2006 - Vendor approved the release of advisory > 20 / 06 / 2006 - Public disclosure > > > For more details visit - http://hackingspirits.com/vuln-rnd/vuln-rnd.html > > > VI. CREDITS > Debasis Mohanty (aka Tr0y) > www.hackingspirits.com > > [EMAIL PROTECTED] > --------------- Moderator's Note --------------- Kindly, trim or remove un-necessary trails while replying. Keep only the necessary parts. ------------------------------------------------ Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/Ring-of-Fire/ <*> Your email settings: Individual Email | Traditional <*> To change settings online go to: http://groups.yahoo.com/group/Ring-of-Fire/join (Yahoo! ID required) <*> To change settings via email: mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] <*> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
