(Adobe Issues Fix) Microsoft Excel 'Shockwave Flash Object' Lets Remote Users Execute Code Automatically
|
|
SecurityTracker Alert ID: 1016831 |
|
SecurityTracker URL: http://securitytracker.com/id/1016831
|
|
CVE Reference:
CVE-2006-3014
(Links to External Site)
|
Date: Sep 12 2006
|
Impact:
Execution of arbitrary code via network, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
|
Description:
A vulnerability was reported in Microsoft Excel. A remote user can cause arbitrary code to be executed on the target user's system.
A remote user can create an Excel file that includes a malicious Flash file embedded using the Excel 'Shockwave Flash Object' function. When the target user opens the Excel file, the Flash code will execute automatically without user interaction. The code will run with the privileges of the target user.
The vendor was notified on May 3, 2006.
Debasis Mohanty (aka Tr0y) discovered this vulnerability.
The original advisory, including a demonstration exploit, is available at:
http://hackingspirits.com/vuln-rnd/vuln-rnd.html
|
Impact:
A remote user can create a file that, when loaded by the target user, will execute arbitrary code on the target user's system.
|
Solution:
Adobe has issued a fixed version of FlashPlayer (9.0.16.0).
The Adobe advisory is available at:
http://www.adobe.com/support/security/bulletins/apsb06-11.html
|
Vendor URL: www.adobe.com/support/security/bulletins/apsb06-11.html (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
Windows (Any)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Tue, 12 Sep 2006 15:53:25 -0400
Subject: http://www.adobe.com/support/security/bulletins/apsb06-11.html
|
Multiple Vulnerabilities in Adobe Flash Player 8.0.24.0 and Earlier Versions
Release Date: September 12, 2006
Vulnerability Identifier: APSB06-11
CVE Number: CVE-2006-3014, CVE-2006-3311, CVE-2006-3587, CVE-2006-3588, CVE-2006-4640
|
|
