Vulnerability Note VU#541025

Trend Micro HouseCall ActiveX control does not adequately validate update server parameters

Overview

The Trend Micro HouseCall ActiveX control contains a vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

I. Description

The Trend Micro HouseCall ActiveX control (Housecall_ActiveX.dll) includes an update feature. A web page hosting the control can specify update server parameters, and the control does not adequately restrict the type of file or download location. Further details are available from Secunia.

Insecure software update features are a common class of vulnerability, for example, see "Secure Software Updates: Disappointments and New Challenges."

II. Impact

By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker can download an arbitrary file to a location writeable by the user. By writing to a location like a startup directory or a user's desktop, the attacker can increase the chances of the user executing the file.

III. Solution

Install updated version of HouseCall ActiveX control

According to Trend Micro [Hot Fix] B1285, sites running HouseCall should "Request the HouseCall 6.6 Hot Fix Build 1285 file from Trend Micro Technical Support."



Trend Micro [Hot Fix] B1285 states that "The public HouseCall Server 6.6 has been patched." Examination of the free online HouseCall web site (as of 2008-12-24) shows that visitors are directed to a URL that indicates HouseCall version 6.5 and provided with a vulnerable version (6.51.0.1028) of the ActiveX control. According to Secunia, users should remove existing versions of the control and install version 6.6.0.1285 from http://prerelease.trendmicro-europe.com/hc66/launch/.



Disable the HouseCall ActiveX control in Internet Explorer



The vulnerable ActiveX control can be disabled in Internet Explorer by setting the kill bit for the following CLSIDs:

{215B8138-A3CF-44c5-803F-8226143CFC0A}
{6E5A37BF-FD42-463A-877C-4EB7002E68AE}

More information about how to set the kill bit is available in Microsoft Support Document 240797. Alternatively, the following text can be saved as a .REG file and imported to set the kill bit for this control:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{215B8138-A3CF-44c5-803F-8226143CFC0A}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{6E5A37BF-FD42-463A-877C-4EB7002E68AE}]
"Compatibility Flags"=dword:00000400

Disable ActiveX



Disabling ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this and other ActiveX vulnerabilities. Instructions for disabling ActiveX in the Internet Zone can be found in the "Securing Your Web Browser" document.

Systems Affected

Vendor	Status	Date Notified	Date Updated
Trend Micro	Vulnerable		2008-12-25

References

http://www.cert.org/tech_tips/securing_browser/#Internet_Explorer

http://secunia.com/advisories/31337

http://secunia.com/secunia_research/2008-32/

http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1038646&id=EN-1038646

http://prerelease.trendmicro-europe.com/hc66/launch/

http://support.microsoft.com/kb/240797

http://prisms.cs.umass.edu/~kevinfu/papers/secureupdates-hotsec06.pdf

Credit

This vulnerability was reported by Alin Rad Pop of Secunia Research.

This document was written by Art Manion.

Other Information

Date Public:	2008-12-21
Date First Published:	2008-12-25
Date Last Updated:	2008-12-25
CERT Advisory:
CVE-ID(s):	CVE-2008-2434
NVD-ID(s):	CVE-2008-2434
US-CERT Technical Alerts:
Metric:	15.75
Document Revision:	7

Vulnerability Note VU#702628

Trend Micro HouseCall ActiveX control notifyOnLoadNative() uses previously free'd memory

Overview

The Trend Micro HouseCall ActiveX control contains a vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

I. Description

The Trend Micro HouseCall ActiveX control (Housecall_ActiveX.dll) contains a "use-after-free" vulnerability. Using a web page containing a specially crafted call to notifyOnLoadNative(), an attacker can write to heap memory and potentially execute arbitrary code. Further details are available from Secunia.

II. Impact

By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with the privileges of the user. The attacker could also cause Internet Explorer (or the program using the WebBrowser control) to crash.

III. Solution

Install updated version of HouseCall ActiveX control

According to Trend Micro [Hot Fix] B1285, sites running HouseCall should "Request the HouseCall 6.6 Hot Fix Build 1285 file from Trend Micro Technical Support."

Trend Micro [Hot Fix] B1285 states that "The public HouseCall Server 6.6 has been patched." Examination of the free online HouseCall web site (as of 2008-12-24) shows that visitors are directed to a URL that indicates HouseCall version 6.5 and provided with a vulnerable version (6.51.0.1028) of the ActiveX control. According to Secunia, users should remove existing versions of the control and install version 6.6.0.1285 from http://prerelease.trendmicro-europe.com/hc66/launch/.



Disable the HouseCall ActiveX control in Internet Explorer



The vulnerable ActiveX control can be disabled in Internet Explorer by setting the kill bit for the following CLSIDs:

{215B8138-A3CF-44c5-803F-8226143CFC0A}
{6E5A37BF-FD42-463A-877C-4EB7002E68AE}

More information about how to set the kill bit is available in Microsoft Support Document 240797. Alternatively, the following text can be saved as a .REG file and imported to set the kill bit for this control:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{215B8138-A3CF-44c5-803F-8226143CFC0A}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{6E5A37BF-FD42-463A-877C-4EB7002E68AE}]
"Compatibility Flags"=dword:00000400

Disable ActiveX



Disabling ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this and other ActiveX vulnerabilities. Instructions for disabling ActiveX in the Internet Zone can be found in the "Securing Your Web Browser" document.

Systems Affected

Vendor	Status	Date Notified	Date Updated
Trend Micro	Vulnerable		2008-12-24

References

https://www.securecoding.cert.org/confluence/display/seccode/MEM30-C.+Do+not+access+freed+memory

http://www.cert.org/tech_tips/securing_browser/#Internet_Explorer

http://secunia.com/advisories/31583/

http://secunia.com/secunia_research/2008-34/

http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1038646&id=EN-1038646

http://prerelease.trendmicro-europe.com/hc66/launch/

http://support.microsoft.com/kb/240797

Credit

This vulnerability was reported by Alin Rad Pop of Secunia Research.

This document was written by Art Manion.

Other Information

Date Public:	2008-12-21
Date First Published:	2008-12-25
Date Last Updated:	2008-12-30
CERT Advisory:
CVE-ID(s):	CVE-2008-2435
NVD-ID(s):	CVE-2008-2435
US-CERT Technical Alerts:
Metric:	9.69
Document Revision:	23

Vulnerability Note VU#696644

Microsoft SQL Server fails to properly validate parameters to the sp_replwritetovarbin extended stored procedure

Overview

A vulnerability in the Microsoft SQL Server sp_replwritetovarbin extended stored procedure could allow an authenticated attacker to execute arbitrary code on an affected server.

I. Description

Some versions of Microsoft SQL Server contain a vulnerability in the sp_replwritetovarbin stored procedure. The vulnerability could allow an attacker to modify heap memory and potentially execute arbitrary code. The vulnerability is described in SEC Consult Security Advisory < 20081209-0 >. Microsoft Security Bulletin MS09-004 provides further details, including affected database versions and workarounds.

In order to access sp_replwritetovarbin, an attacker would need to authenticate to the database first. A separate SQL injection vulnerability in a web application could allow a remote, unauthenticated attacker to exploit the sp_replwritetovarbin vulnerability with the user credentials of the web application. Microsoft Security Advisory (954462) provides detection and mitigation advice for SQL injection vulnerabilities.



Exploit code is publicly available for this vulnerability.

II. Impact

A local or remote authenticated attacker may be able to execute arbitrary code with the privileges of the SQL Server on the affected system. In the case of a SQL injection vulnerability in a web application that uses a vulnerable database, a remote attacker may be able to exploit the sp_replwritetovarbin vulnerability with credentials of the web application.

III. Solution

Apply an update

This issue is addressed in Microsoft Security Bulletin MS09-004.

Workarounds



Deny execute permissions on sp_replwritetovarbin as described in Microsoft Security Bulletin MS09-004.



Alternatively, remove sp_replwritetovarbin using sp_dropextendedproc as described in SEC Consult Security Advisory < 20081209-0 > and "Removing an Extended Stored Procedure from SQL Server."



Removing execute permissions or removing sp_replwritetovarbin may impact application functionality.

Systems Affected

Vendor	Status	Date Notified	Date Updated
Microsoft Corporation	Vulnerable	2008-12-19	2009-02-10

References

http://www.sec-consult.com/files/20081209_mssql-sp_replwritetovarbin_memwrite.txt

http://www.milw0rm.com/exploits/7501

http://www.microsoft.com/technet/security/advisory/961040.mspx

http://msdn.microsoft.com/en-us/library/aa215995(SQL.80).aspx

http://msdn.microsoft.com/en-us/library/aa933290(SQL.80).aspx

http://www.microsoft.com/technet/security/advisory/954462.mspx

http://www.microsoft.com/technet/security/bulletin/ms09-004.mspx

Credit

This vulnerability was reported by Bernhard Mueller of SEC Consult Vulnerability Lab.

This document was written by Chad R Dougherty and Art Manion.

Other Information

Date Public:	2008-12-09
Date First Published:	2008-12-24
Date Last Updated:	2009-02-10
CERT Advisory:
CVE-ID(s):	CVE-2008-5416
NVD-ID(s):	CVE-2008-5416
US-CERT Technical Alerts:	TA09-041A
Metric:	4.45
Document Revision:	18

Vulnerability Note VU#926676

Microsoft WordPad Text Converter vulnerable to remote code execution

Overview

The WordPad Text Converter for Word 97 files included in some versions of Windows contains an unspecified error which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

I. Description

Microsoft WordPad is a text editor included by default with the Windows operating system. It includes WordPad Text Converters that allow users who do not have Microsoft Word installed to open documents in older file formats, including Microsoft Office Word 97.

An unspecified error in the way that the WordPad Text Converter for Word 97 handles files in this format results in memory corruption that could allow an attacker to execute arbitrary code. Microsoft Office Word 97 files may have file extensions such as .doc, .wri, or .rtf. While Microsoft Office Word has the ability to open Office Word 97 files, it is not affected by this vulnerability. However, in the default configuration, Windows will open files having the .wri extension with WordPad. Therefore, it is likely that systems that have Microsoft Office Word installed will still open a malicious Microsoft Office Word 97 document with this extension using the affected WordPad.



Microsoft notes that Windows XP Service Pack 3, Windows Vista and Windows Vista Service Pack 1 (including x64 editions), and Windows Server 2008 are not affected by this vulnerability.



This vulnerability is currently being exploited in the wild.

II. Impact

By convincing a user to view a specially crafted Word 97 document (e.g., an attachment supplied in email), a remote attacker may be able to execute arbitrary commands with the privileges of the user.

III. Solution

We are currently unaware of a practical solution to this problem.

Disable the WordPad Text Converter for Word 97 file format



Microsoft has included instructions for disabling the affected component in Microsoft Security Advisory (960906).

Systems Affected

Vendor	Status	Date Notified	Date Updated
Microsoft Corporation	Vulnerable		2008-12-11

References

http://www.microsoft.com/technet/security/advisory/960906.mspx

Credit

This document was written by Chad R Dougherty.

Other Information

Date Public:	2008-12-09
Date First Published:	2008-12-11
Date Last Updated:	2008-12-11
CERT Advisory:
CVE-ID(s):	CVE-2008-4841
NVD-ID(s):	CVE-2008-4841
US-CERT Technical Alerts:
Metric:	6.88
Document Revision:	11

Vulnerability Note VU#981849

Automated Solutions Modbus TCP Slave ActiveX Control Vulnerability

Overview

Automated Solutions Modbus TCP Slave ActiveX Control contains a vulnerability that may allow a remote attacker to execute arbitrary code or cause a denial-of-service.

I. Description

Automated Solutions Modbus TCP Slave ActiveX Control fails to properly process malformed "Modbus" requests to TCP port 502 due to an error in "MiniHMI.exe". According to TippingPoint:

When processing malformed Modbus requests on this port a controllable heap corruption can occur which may result in execution of arbitrary code.

II. Impact

A remote, unauthenticated attacker may be able to execute arbitrary code with the privileges of the user running the MiniHMI.exe or cause a denial-of-service.

III. Solution

Upgrade

Automated Solutions has addressed this issue with an update. OEMs who suspect they use an affected version of the Automated Solutions Modbus TCP Slave ActiveX Control should contact Automated Solutions for more information. A link to an executable is available via TippingPoint, however, the nature of this executable is not known and clicking on unknown executables is not advisable.

Restrict Access



Permit network access only as required for proper site operation.

Systems Affected

Vendor	Status	Date Notified	Date Updated
Automated Solutions	Vulnerable		2008-10-31

References

http://www.zerodayinitiative.com/advisories/TPTI-07-15.html

http://www.securiteam.com/windowsntfocus/5LP0L00MKM.html

http://www.securityfocus.com/archive/1/archive/1/479967/100/0/threaded

http://www.nessus.org/plugins/index.php?view=single&id=26066

http://www.automatedsolutions.com/pub/asmbslv/ReadMe.htm

http://www.securityfocus.com/bid/25713

http://www.securitytracker.com/id?1018707

http://xforce.iss.net/xforce/xfdb/36677

Credit

This vulnerability was reported by Ganesh Devarajan of TippingPoint DVLabs.

This document was written by Chris Taschner.

Other Information

Date Public:	2007-09-20
Date First Published:	2008-12-19
Date Last Updated:	2008-12-19
CERT Advisory:
CVE-ID(s):	CVE-2007-4827
NVD-ID(s):	CVE-2007-4827
US-CERT Technical Alerts:
Metric:	2.84
Document Revision:	15