07.28.2009

VU#456745: ActiveX controls built with Microsoft ATL fail to properly handle initialization data

Vulnerability Note VU#456745

ActiveX controls built with Microsoft ATL fail to properly handle initialization data

Overview

ActiveX controls that are built using a Microsoft ATL template may fail to properly handle initialization data, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

I. Description

Microsoft Active Template Library (ATL) is a set of C++ classes that are designed to simplify the creation of COM objects and ActiveX controls. An ActiveX control can be designated as "safe for scripting," which means that it can be used by an untrusted caller such as JavaScript in a web page, and/or it may be designated as "safe for initialization," which means that it can accept untrusted initialization data. ActiveX controls that are developed using the Microsoft ATL technology may fail to properly handle initialization data. The specific vulnerabilities include the use of uninitialized objects, unsafe usage of OleLoadFromStream, and the failure to check for a terminating NULL character. This may result in memory corruption that can be leveraged to execute code, or it may bypass Internet Explorer kill bit restrictions on unsafe controls.

II. Impact

By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code.

III. Solution

Apply an update

This vulnerability has been addressed in the update for Internet Explorer provided in Microsoft Security Bulletin MS09-034. This update helps prevent ActiveX controls that were built with the vulnerable ATL versions from being initialized with unsafe data patterns in Internet Explorer. This also includes techniques that can be used to bypass the kill bit in Internet Explorer.





Update and recompile ActiveX controls



Developers who have created ActiveX controls using Microsoft ATL should install the update for Microsoft Security Bulletin MS09-035 and recompile the ActiveX controls. This will cause the controls to use an updated ATL version that addresses these vulnerabilities.



Disable ActiveX



Disabling ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this and other ActiveX vulnerabilities. Instructions for disabling ActiveX in the Internet Zone can be found in the "Securing Your Web Browser" document.


Systems Affected

VendorStatusDate NotifiedDate Updated
AdobeVulnerable2009-07-30
Alcatel-LucentUnknown2009-07-282009-07-28
America Online, Inc.Unknown2009-07-282009-07-28
Apple Inc.Not Vulnerable2009-07-282009-07-31
AttachmateUnknown2009-07-282009-07-28
Aurigma Inc. Vulnerable2009-07-282009-07-29
AxisUnknown2009-07-282009-07-28
BTUnknown2009-07-282009-07-28
Business ObjectsUnknown2009-07-282009-07-28
Callisto CorporationUnknown2009-07-282009-07-28
Cisco Systems, Inc.Vulnerable2009-07-282009-07-29
Computer Associates eTrust Security ManagementUnknown2009-07-282009-07-28
Computer Emergency Response Team BrazilUnknown2009-07-282009-07-28
Corel CorporationUnknown2009-07-282009-07-28
E-Book Systems Inc.Unknown2009-07-282009-07-28
eBayUnknown2009-07-282009-07-28
Electronic ArtsUnknown2009-07-282009-07-28
ESET, LLC.Unknown2009-07-282009-07-28
F5 Networks, Inc.Vulnerable2009-07-282009-07-29
GameTap-Turner Broadcasting subsidiaryUnknown2009-07-282009-07-28
GOVCERT-NLUnknown2009-07-282009-07-28
GracenoteUnknown2009-07-282009-07-28
Hewlett-Packard CompanyUnknown2009-07-282009-07-28
HusdawgUnknown2009-07-282009-07-28
IBM CorporationNot Vulnerable2009-07-282009-07-29
Iconics, Inc.Unknown2009-07-282009-07-28
IncrediMail Ltd.Unknown2009-07-282009-07-28
Infotriever, Inc.Unknown2009-07-282009-07-28
InterActual Technologies, Inc. Unknown2009-07-282009-07-28
Intuit, Inc.Unknown2009-07-282009-07-28
Juniper Networks, Inc.Unknown2009-07-282009-07-28
Kodak Easy Share GalleryUnknown2009-07-282009-07-28
LenovoUnknown2009-07-282009-07-28
LizardTech, IncUnknown2009-07-282009-07-28
LogicNPNot Vulnerable2009-07-282009-07-30
Lotus SoftwareUnknown2009-07-282009-07-28
Media Technology GroupUnknown2009-07-282009-07-28
Microsoft CorporationVulnerable2009-07-28
MotiveUnknown2009-07-282009-07-28
Move Networks, Inc.Unknown2009-07-282009-07-28
Namzak Labs Inc.Unknown2009-07-282009-07-28
NokiaUnknown2009-07-282009-07-28
Novell, Inc.Unknown2009-07-282009-07-28
Oracle CorporationUnknown2009-07-282009-07-28
OSISoftVulnerable2009-08-04
Panda Software Ltd.Unknown2009-07-282009-07-28
PNI Digital MediaUnknown2009-07-282009-07-28
Radiant SystemsUnknown2009-07-282009-07-28
RealNetworks, Inc.Unknown2009-07-282009-07-28
Research in Motion (RIM)Unknown2009-07-282009-07-28
SafeNetUnknown2009-07-282009-07-28
SAPUnknown2009-07-282009-07-28
ScriptLogicUnknown2009-07-282009-07-28
SiemensUnknown2009-07-282009-07-28
Simba TechnologiesUnknown2009-07-282009-07-28
SoftArtisans, IncUnknown2009-07-282009-07-28
SonicWallVulnerable2009-07-282009-07-30
Sun Microsystems, Inc.Vulnerable2009-08-05
SupportSoft, Inc.Unknown2009-07-282009-07-28
SwiftViewUnknown2009-07-282009-07-28
SymantecUnknown2009-07-282009-07-28
Trend MicroUnknown2009-07-282009-07-28
Unigraphics SolutionsUnknown2009-07-282009-07-28
VanDyke SoftwareNot Vulnerable2009-07-282009-08-04
View22Unknown2009-07-282009-07-28
WeOnlyDo! SoftwareUnknown2009-07-282009-07-28
WinZip Computing, Inc.Unknown2009-07-282009-07-28
WorldspanUnknown2009-07-282009-07-28
XeroxUnknown2009-07-282009-07-28
Yahoo, Inc.Unknown2009-07-282009-07-28

References

http://www.kb.cert.org/vuls/id/180513



http://www.microsoft.com/technet/security/bulletin/ms09-034.mspx

http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx

http://www.microsoft.com/security/atl.aspx

http://blogs.technet.com/msrc/archive/2009/07/28/microsoft-security-advisory-973882-microsoft-security-bulletins-ms09-034-and-ms09-035-released.aspx

http://blogs.msdn.com/sdl/archive/2009/07/28/atl-ms09-035-and-the-sdl.aspx

http://blogs.technet.com/ecostrat/archive/2009/07/27/threat-complexity-requires-new-levels-of-collaboration.aspx

http://www.microsoft.com/technet/security/advisory/973882.mspx

http://msdn.microsoft.com/en-us/library/ms680103(VS.85).aspx

http://msdn.microsoft.com/en-us/library/aa751977(VS.85).aspx

http://msdn.microsoft.com/en-us/library/t9adwcde(VS.80).aspx

http://support.microsoft.com/kb/168371

http://support.microsoft.com/kb/240797

http://blogs.adobe.com/psirt/2009/07/impact_of_microsoft_atl_vulner.html

http://www.adobe.com/support/security/advisories/apsa09-04.html

http://www.adobe.com/support/security/bulletins/apsb09-10.html

http://www.adobe.com/support/security/bulletins/apsb09-11.html

http://addxorrol.blogspot.com/2009/07/poking-around-msvidctldll.html

http://blogs.technet.com/srd/archive/2009/07/28/msvidctl-ms09-032-and-the-atl-vulnerability.aspx

http://blogs.technet.com/srd/archive/2009/07/28/atl-vulnerability-developer-deep-dive.aspx

http://blogs.technet.com/srd/archive/2009/07/28/internet-explorer-mitigations-for-atl-data-stream-vulnerabilities.aspx

http://blogs.technet.com/srd/archive/2009/07/28/overview-of-the-out-of-band-release.aspx

http://blogs.technet.com/bluehat/archive/2009/07/27/black-hat-usa-atl-killbit-bypass.aspx

Credit

Thanks to Microsoft for reporting this vulnerability, who in turn credit David Dewey of IBM ISS X-Force and Ryan Smith of Verisign iDefense labs.

This document was written by Will Dormann.

Other Information

Date Public:2009-07-09
Date First Published:2009-07-28
Date Last Updated:2009-08-05
CERT Advisory: 
CVE-ID(s):CVE-2009-0901; CVE-2009-2493; CVE-2009-2495
NVD-ID(s):CVE-2009-0901 CVE-2009-2493 CVE-2009-2495
US-CERT Technical Alerts: 
Metric:47.08
Document Revision:39
Tags: com, ie, internet explorer, kill bit, microsoft Categories: Forensics and Security
07.28.2009

VU#456745: ActiveX controls built with Microsoft ATL fail to properly handle initialization data

Vulnerability Note VU#456745

ActiveX controls built with Microsoft ATL fail to properly handle initialization data

Overview

ActiveX controls that are built using a Microsoft ATL template may fail to properly handle initialization data, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

I. Description

Microsoft Active Template Library (ATL) is a set of C++ classes that are designed to simplify the creation of COM objects and ActiveX controls. An ActiveX control can be designated as "safe for scripting," which means that it can be used by an untrusted caller such as JavaScript in a web page, and/or it may be designated as "safe for initialization," which means that it can accept untrusted initialization data. ActiveX controls that are developed using the Microsoft ATL technology may fail to properly handle initialization data. The specific vulnerabilities include the use of uninitialized objects, unsafe usage of OleLoadFromStream, and the failure to check for a terminating NULL character. This may result in memory corruption that can be leveraged to execute code, or it may bypass Internet Explorer kill bit restrictions on unsafe controls.

II. Impact

By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code.

III. Solution

Apply an update

This vulnerability has been addressed in the update for Internet Explorer provided in Microsoft Security Bulletin MS09-034. This update helps prevent ActiveX controls that were built with the vulnerable ATL versions from being initialized with unsafe data patterns in Internet Explorer. This also includes techniques that can be used to bypass the kill bit in Internet Explorer.





Update and recompile ActiveX controls



Developers who have created ActiveX controls using Microsoft ATL should install the update for Microsoft Security Bulletin MS09-035 and recompile the ActiveX controls. This will cause the controls to use an updated ATL version that addresses these vulnerabilities.



Disable ActiveX



Disabling ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this and other ActiveX vulnerabilities. Instructions for disabling ActiveX in the Internet Zone can be found in the "Securing Your Web Browser" document.


Systems Affected

VendorStatusDate NotifiedDate Updated
AdobeVulnerable2009-07-30
Alcatel-LucentUnknown2009-07-282009-07-28
America Online, Inc.Unknown2009-07-282009-07-28
Apple Inc.Not Vulnerable2009-07-282009-07-31
AttachmateUnknown2009-07-282009-07-28
Aurigma Inc. Vulnerable2009-07-282009-07-29
AxisUnknown2009-07-282009-07-28
BTUnknown2009-07-282009-07-28
Business ObjectsUnknown2009-07-282009-07-28
Callisto CorporationUnknown2009-07-282009-07-28
Cisco Systems, Inc.Vulnerable2009-07-282009-07-29
Computer Associates eTrust Security ManagementUnknown2009-07-282009-07-28
Computer Emergency Response Team BrazilUnknown2009-07-282009-07-28
Corel CorporationUnknown2009-07-282009-07-28
E-Book Systems Inc.Unknown2009-07-282009-07-28
eBayUnknown2009-07-282009-07-28
Electronic ArtsUnknown2009-07-282009-07-28
ESET, LLC.Unknown2009-07-282009-07-28
F5 Networks, Inc.Vulnerable2009-07-282009-07-29
GameTap-Turner Broadcasting subsidiaryUnknown2009-07-282009-07-28
GOVCERT-NLUnknown2009-07-282009-07-28
GracenoteUnknown2009-07-282009-07-28
Hewlett-Packard CompanyUnknown2009-07-282009-07-28
HusdawgUnknown2009-07-282009-07-28
IBM CorporationNot Vulnerable2009-07-282009-07-29
Iconics, Inc.Unknown2009-07-282009-07-28
IncrediMail Ltd.Unknown2009-07-282009-07-28
Infotriever, Inc.Unknown2009-07-282009-07-28
InterActual Technologies, Inc. Unknown2009-07-282009-07-28
Intuit, Inc.Unknown2009-07-282009-07-28
Juniper Networks, Inc.Unknown2009-07-282009-07-28
Kodak Easy Share GalleryUnknown2009-07-282009-07-28
LenovoUnknown2009-07-282009-07-28
LizardTech, IncUnknown2009-07-282009-07-28
LogicNPNot Vulnerable2009-07-282009-07-30
Lotus SoftwareUnknown2009-07-282009-07-28
Media Technology GroupUnknown2009-07-282009-07-28
Microsoft CorporationVulnerable2009-07-28
MotiveUnknown2009-07-282009-07-28
Move Networks, Inc.Unknown2009-07-282009-07-28
Namzak Labs Inc.Unknown2009-07-282009-07-28
NokiaUnknown2009-07-282009-07-28
Novell, Inc.Unknown2009-07-282009-07-28
Oracle CorporationUnknown2009-07-282009-07-28
Panda Software Ltd.Unknown2009-07-282009-07-28
PNI Digital MediaUnknown2009-07-282009-07-28
Radiant SystemsUnknown2009-07-282009-07-28
RealNetworks, Inc.Unknown2009-07-282009-07-28
Research in Motion (RIM)Unknown2009-07-282009-07-28
SafeNetUnknown2009-07-282009-07-28
SAPUnknown2009-07-282009-07-28
ScriptLogicUnknown2009-07-282009-07-28
SiemensUnknown2009-07-282009-07-28
Simba TechnologiesUnknown2009-07-282009-07-28
SoftArtisans, IncUnknown2009-07-282009-07-28
SonicWallVulnerable2009-07-282009-07-30
SupportSoft, Inc.Unknown2009-07-282009-07-28
SwiftViewUnknown2009-07-282009-07-28
SymantecUnknown2009-07-282009-07-28
Trend MicroUnknown2009-07-282009-07-28
Unigraphics SolutionsUnknown2009-07-282009-07-28
VanDyke SoftwareUnknown2009-07-282009-07-28
View22Unknown2009-07-282009-07-28
WeOnlyDo! SoftwareUnknown2009-07-282009-07-28
WinZip Computing, Inc.Unknown2009-07-282009-07-28
WorldspanUnknown2009-07-282009-07-28
XeroxUnknown2009-07-282009-07-28
Yahoo, Inc.Unknown2009-07-282009-07-28

References

http://www.kb.cert.org/vuls/id/180513



http://www.microsoft.com/technet/security/bulletin/ms09-034.mspx

http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx

http://www.microsoft.com/security/atl.aspx

http://blogs.technet.com/msrc/archive/2009/07/28/microsoft-security-advisory-973882-microsoft-security-bulletins-ms09-034-and-ms09-035-released.aspx

http://blogs.msdn.com/sdl/archive/2009/07/28/atl-ms09-035-and-the-sdl.aspx

http://blogs.technet.com/ecostrat/archive/2009/07/27/threat-complexity-requires-new-levels-of-collaboration.aspx

http://www.microsoft.com/technet/security/advisory/973882.mspx

http://msdn.microsoft.com/en-us/library/ms680103(VS.85).aspx

http://msdn.microsoft.com/en-us/library/aa751977(VS.85).aspx

http://msdn.microsoft.com/en-us/library/t9adwcde(VS.80).aspx

http://support.microsoft.com/kb/168371

http://support.microsoft.com/kb/240797

http://blogs.adobe.com/psirt/2009/07/impact_of_microsoft_atl_vulner.html

http://www.adobe.com/support/security/advisories/apsa09-04.html

http://www.adobe.com/support/security/bulletins/apsb09-10.html

http://www.adobe.com/support/security/bulletins/apsb09-11.html

http://addxorrol.blogspot.com/2009/07/poking-around-msvidctldll.html

http://blogs.technet.com/srd/archive/2009/07/28/msvidctl-ms09-032-and-the-atl-vulnerability.aspx

http://blogs.technet.com/srd/archive/2009/07/28/atl-vulnerability-developer-deep-dive.aspx

http://blogs.technet.com/srd/archive/2009/07/28/internet-explorer-mitigations-for-atl-data-stream-vulnerabilities.aspx

http://blogs.technet.com/srd/archive/2009/07/28/overview-of-the-out-of-band-release.aspx

http://blogs.technet.com/bluehat/archive/2009/07/27/black-hat-usa-atl-killbit-bypass.aspx

Credit

Thanks to Microsoft for reporting this vulnerability, who in turn credit David Dewey of IBM ISS X-Force and Ryan Smith of Verisign iDefense labs.

This document was written by Will Dormann.

Other Information

Date Public:2009-07-09
Date First Published:2009-07-28
Date Last Updated:2009-07-31
CERT Advisory: 
CVE-ID(s):CVE-2009-0901; CVE-2009-2493; CVE-2009-2495
NVD-ID(s):CVE-2009-0901 CVE-2009-2493 CVE-2009-2495
US-CERT Technical Alerts: 
Metric:47.08
Document Revision:36
Tags: com, ie, internet explorer, kill bit, microsoft Categories: Forensics and Security
04.15.2009

VU#789121: Microsoft Whale Intelligent Application Gateway Whale Client Components ActiveX control stack buffer overflows

Vulnerability Note VU#789121

Microsoft Whale Intelligent Application Gateway Whale Client Components ActiveX control stack buffer overflows

Overview

The Microsoft Whale Intelligent Application Gateway Whale Client Components ActiveX control contains multiple stack buffer overflows, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

I. Description

Whale Communications Intelligent Application Gateway is an application that provides SSL VPN functionality. The Whale Client Components, which is provided by the file WhlMgr.dll, contains stack buffer overflow vulnerabilities in the CheckForUpdates() and UpdateComponents() methods. Note that Whale Communications is a subsidiary of Microsoft.

II. Impact

By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with the privileges of the user. The attacker could also cause the web browser to crash.

III. Solution

Apply an update

This issue is addressed in Service Pack 1 for both Whale Communications Intelligent Application Gateway (IAG) 3.6 and Microsoft Intelligent Application Gateway 2007.





Disable the Whale Client Components ActiveX control in Internet Explorer



The vulnerable ActiveX control can be disabled in Internet Explorer by setting the kill bit for the following CLSID:

    {8D9563A9-8D5F-459B-87F2-BA842255CB9A}

More information about how to set the kill bit is available in Microsoft Support Document 240797. Alternatively, the following text can be saved as a .REG file and imported to set the kill bit for this control:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{8D9563A9-8D5F-459B-87F2-BA842255CB9A}]
    "Compatibility Flags"=dword:00000400

Please note that setting the kill bit will break the Intelligent Application Gateway functionality.





Disable ActiveX



Disabling ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this and other ActiveX vulnerabilities. Instructions for disabling ActiveX in the Internet Zone can be found in the "Securing Your Web Browser" document.


Systems Affected

VendorStatusDate NotifiedDate Updated
Microsoft CorporationVulnerable2006-12-142009-05-27

References

http://www.cert.org/tech_tips/securing_browser/#Internet_Explorer



http://technet.microsoft.com/en-us/library/dd282918.aspx

http://support.microsoft.com/kb/240797

Credit

This vulnerability was reported by Will Dormann of CERT/CC.

This document was written by Will Dormann.

Other Information

Date Public:2009-04-15
Date First Published:2009-04-15
Date Last Updated:2009-05-27
CERT Advisory: 
CVE-ID(s):CVE-2007-2238
NVD-ID(s):CVE-2007-2238
US-CERT Technical Alerts: 
Metric:3.41
Document Revision:16
Tags: activex, com, dranzer, ie, internet explorer, whale client components, whlmgr.dll Categories: Forensics and Security
03.31.2009

VU#985449: SAP AG SAPgui EAI WebViewer3D ActiveX control stack buffer overflow

Vulnerability Note VU#985449

SAP AG SAPgui EAI WebViewer3D ActiveX control stack buffer overflow

Overview

The Siemens Unigraphics Solutions Teamcenter Visualization EAI WebViewer3D ActiveX control, which comes with SAPgui, contains a stack buffer overflow. This may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

I. Description

SAP AG SAPgui includes an ActiveX control called EAI WebViewer3D, which is produced by Unigraphics Solutions, a division of Siemens. The EAI WebViewer3D ActiveX control, which is provided by webviewer3d.dll, contains a stack buffer overflow in the SaveViewToSessionFile() method. Although the ActiveX control is produced by Siemens, it is reported to only be used by SAP.

II. Impact

By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with the privileges of the user. The attacker could also cause the web browser to crash.

III. Solution

Apply an update

This issue is addressed with SAPgui 7.10 Patch Level 9. This update sets the kill bit for the vulnerable control, since it was not intended for use in Internet Explorer. Although the SAPgui 7.10 Patch Level 8 release notes indicate that the control is disabled via the kill bit, please note that the kill bit was not properly set until Patch Level 9. Please also consider the following workarounds:





Disable the EAI WebViewer3D ActiveX control in Internet Explorer



The vulnerable ActiveX control can be disabled in Internet Explorer by setting the kill bit for the following CLSID:

    {AFBBE070-7340-11d2-AA6B-00E02924C34E}

More information about how to set the kill bit is available in Microsoft Support Document 240797. Alternatively, the following text can be saved as a .REG file and imported to set the kill bit for this control:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{AFBBE070-7340-11d2-AA6B-00E02924C34E}]
    "Compatibility Flags"=dword:00000400

Disable ActiveX



Disabling ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this and other ActiveX vulnerabilities. Instructions for disabling ActiveX in the Internet Zone can be found in the "Securing Your Web Browser" document.

Systems Affected

VendorStatusDate NotifiedDate Updated
SAPVulnerable2008-07-212009-03-31
Siemens CERTVulnerable2007-07-072009-02-16
Unigraphics SolutionsVulnerable2007-10-292009-02-16

References

http://www.cert.org/tech_tips/securing_browser/#Internet_Explorer



https://service.sap.com/sap/support/notes/1153794

http://support.microsoft.com/kb/240797

Credit

This vulnerability was reported by Will Dormann of the CERT/CC.

This document was written by Will Dormann.

Other Information

Date Public:2009-03-31
Date First Published:2009-03-31
Date Last Updated:2009-04-13
CERT Advisory: 
CVE-ID(s):CVE-2007-4475
NVD-ID(s):CVE-2007-4475
US-CERT Technical Alerts: 
Metric:10.48
Document Revision:18
Tags: activex, com, dranzer, ie, internet explorer, sap, sapgui, visviewweb3d control, viswebviewer3d, webviewer3d.dll Categories: Forensics and Security
11.7.2008

VU#277313: SAP AG SAPgui MDrmSap ActiveX control code execution vulnerability

Vulnerability Note VU#277313

SAP AG SAPgui MDrmSap ActiveX control code execution vulnerability

Overview

The MDrmSap ActiveX control, which is provide with the SAP AG SAPgui software, contains a vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

I. Description

SAPgui is a graphical user interface client for SAP software. One of the components provided by SAPgui is an ActiveX control called MDrmSap, which is provided by the file mdrmsap.dll. This ActiveX control was developed by Simba Technologies for use with the SAPgui product. The MDrmSap ActiveX control contains an unspecified flaw that causes Internet Explorer to crash in an exploitable manner when it attempts to instantiate the control.

II. Impact

By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with the privileges of the user. The attacker could also cause Internet Explorer (or the program using the WebBrowser control) to crash.

III. Solution

Apply an update

This vulnerability is addressed in the patch provided by SAP Note 1142431 (login required).





Disable the MDrmSap ActiveX control in Internet Explorer



The vulnerable ActiveX control can be disabled in Internet Explorer by setting the kill bit for the following CLSID:

    {B01952B0-AF66-11D1-B10D-0060086F6D97}

More information about how to set the kill bit is available in Microsoft Support Document 240797. Alternatively, the following text can be saved as a .REG file and imported to set the kill bit for this control:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{B01952B0-AF66-11D1-B10D-0060086F6D97}]
    "Compatibility Flags"=dword:00000400

Disable ActiveX



Disabling ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this and other ActiveX vulnerabilities. Instructions for disabling ActiveX in the Internet Zone can be found in the "Securing Your Web Browser" document.

Systems Affected

VendorStatusDate NotifiedDate Updated
eEyeUnknown2008-11-122008-11-12
SAPVulnerable2007-07-072008-11-10
Simba TechnologiesVulnerable2007-12-122008-11-10

References

http://www.kb.cert.org/vuls/id/680526



http://service.sap.com/sap/support/notes/1142431

http://support.microsoft.com/kb/240797

Credit

This vulnerability was reported by Will Dormann of the CERT/CC.

This document was written by Will Dormann.

Other Information

Date Public:2008-11-07
Date First Published:2008-11-07
Date Last Updated:2009-04-13
CERT Advisory: 
CVE-ID(s):CVE-2008-4387
NVD-ID(s):CVE-2008-4387
US-CERT Technical Alerts: 
Metric:10.94
Document Revision:11
Tags: activex, com, dranzer, ie, internet explorer, mdrmsap, oleolap, sap, simba technologies Categories: Forensics and Security

:: Next >>

free blog themes / templates