Is active content in an excel workbook (embedded object, not VBA) a security risk?

[Alan]

Hi All,

I was passed a workbook by a colleague that has an embedded Shockwave Flash file in a worksheet.

The file contains no detectable code whatsoever, so it *appears* to be entirely safe to open.

However, clearly the Shockwave Flash file is active content of a sort.

I am not really familiar with this type of thing, so I am wondering if it is a security risk in general (whether or not this particular one is)?

I have attached the file within the ExcelForum webfeed that links to microsoft.public.excel.programming as a text posting. This post should have a URL to the file at the bottom if you are interested.

*WARNING*

The file may or may not be safe. I have no reason to suspect that it is not, but the point of my post is to garner opinions as to whether this is a generic security risk (even if this particular example is benign).

Also, the flash animation consists of line drawn animated caveman characters. The subject could, I guess, offend some people, but most will just find it vaguely amusing. For the avoidance of doubt, there is nothing explicit (they disappear into a cave, and you can infer what they are doing).

I added my own code to the file as follows to determine what I could about the object:

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Sub TestObj()

Dim mysheet As Worksheet
Dim obj As OLEObject

Set mysheet = Worksheets("Arkusz1")
Set obj = mysheet.OLEObjects(1)

Debug.Print "AltHTML = " & obj.AltHTML
Debug.Print "AutoLoad = " & obj.AutoLoad
Debug.Print "Creator = " & obj.Creator
Debug.Print "Locked = " & obj.Locked
Debug.Print "Name = " & obj.Name
Debug.Print "OLEType = " & obj.OLEType
Debug.Print "ProgId = " & obj.ProgId
Debug.Print "Verb = " & obj.Verb
Debug.Print "ZOrder = " & obj.ZOrder


' This would return an object so nonsensical to print it
' but is it just a reference to itself or some other object?
' If the latter, then what?
'
' Debug.Print "Object = " & obj.Object


' Not sure why this fails it should be a string, but it errors out.
'
' Debug.Print "SourceName = " & obj.SourceName


End Sub


+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+


The output to my immediate window is as follows:

AltHTML =
AutoLoad = False
Creator = 1480803660
Locked = True
Name = ShockwaveFlash2
OLEType = 2
ProgId = ShockwaveFlash.ShockwaveFlash.1
Verb = True
ZOrder = 1




Any comments are welcome!

Thanks,

Alan.

[Alan]

Apologies!

I cannot attach the file as the limit is 100kb and it is 292kb zipped up.

If anyone wants it desperately, I can make it available to download elsewhere, but I don't think you really need access to the actual file to answer the question?


Thanks,

Alan.

[Alan]

"Alan" <[email protected]>
wrote in message
news:[email protected]...
>
> I am wondering if it is a security risk in general
> (and whether or not this particular one is)?
>

{Bump}