WebEx Meeting Manager Vulnerable ActiveX

Posted on August 15, 2008 by Nathan Grandbois

An activex control installed by Cisco WebEx Meeting Manager is vulnerable to remote code execution or denial of service. The activex control, atucfobj.dll, is installed when a user connects to a WebEx meeting service. When users connect to an upgraded meeting service, the client side activex is automatically upgraded. Exploit code for this vulnerability has been publicly released.

As an aside, the interesting part of this vulnerability, according to a post from NANOG, is that even if you have cleaned the install of the client off your machine and have the latest version, if you connect to a meeting service that is NOT up to date, you could then become vulnerable again.

The full vulnerability details can be found at http://www.cisco.com/warp/public/707/cisco-sa-20080814-webex.shtml

Office Access Remote Code Execution

Posted on July 8, 2008 by Nathan Grandbois

Microsoft Office Access 2000, 2002, and 2003 contain a vulnerable ActiveX control. This control is a component that enables a user to view an Access report snapshot without having the standard or run-time versions of Microsoft Office Access. This can be exploited by malicious websites to take complete control (execute code remotely) over a visitors system. The ideal mitigation is to disable the affected ActiveX control by setting the killbit for the affected CLSIDs. Those CLSID’s are F0E42D50-368C-11D0-AD81-00A0C90DC8D9, F0E42D60-368C-11D0-AD81-00A0C90DC8D9, F2175210-368C-11D0-AD81-00A0C90DC8D9. See http://support.microsoft.com/kb/240797 for more information on setting the killbit.

Symantec Internet Security 2008 Vulnerable ActiveX

Posted on April 4, 2008 by Nathan Grandbois

There appears to be two vulnerable ActiveX controls in Symantec Internet Security 2008. The following ActiveX controls are vulnerable:

Progid: SymAData.ActiveDataInfo.1

Clsid: 3451DEDE-631F-421c-8127-FD793AFC6CC8

File: C:\PROGRA~1\COMMON~1\SYMANT~1\SUPPOR~1\SymAData.dll

Version: 2.7.0.1

  Clsid: 3451DEDE-631F-421c-8127-FD793AFC6CC8

  File: C:\PROGRA~1\COMMON~1\SYMANT~1\SUPPOR~1\SymAData.dll

  Version 2.7.0.1

These ActiveX are marked safe for scripting by Symantec. According to Symantec, although they are marked safe for scripting, they will only run from the “symantec.com” domain. Successful exploitation would require the use of XSS or DNS poisoning techniques, but could allow for complete control over a users system simply by viewing a malicious page. Symantec has issued updates to fix these vulnerabilities.

InstallShield ActiveX Vuln, WP-Download SQL Injection

Posted on April 1, 2008 by Nathan Grandbois

There’s a SQL injection in a the Wordress Download plugin. Data passed to wp-download.php is not properly sanitized before being processed by SQL. This could result in a SQL injection attack that could lead to the disclosure of usernames and passwords. WordPress admin’s should update to version 1.2.1.

There’s a major vulnerability in and activex control installed by Macrovision InstallShield InstallScript One-Click Install (OCI). The control gets installed via webpages prompting to install software. A large user base is likely affected by this. Basically, when the activex control is initiated it loads several DLL’s that are not sanity checked. These DLL’s could execute arbitrary code when loaded. This vulnerability has been confirmed in version 12.0. The following are the properties associated with the activex:

File: %WINDIR%\Downloaded Program Files\setup.exe

CLSID: 53D40FAA-4E21-459f-AA87-E4D97FC3245A

Macromedia has released a hotfix for this issue, available along with the KB entry for this vulnerability, at http://knowledge.macrovision.com/selfservice/microsites/search.do?cmd=displayKC&externalId=Q113640

CA Products ActiveX Vuln, VMWare Update Fixes DoS

Posted on March 31, 2008 by Nathan Grandbois

Multiple CA products containing the DSM ListCtrl ActiveX Control are vulnerable to buffer overflow. Exploit code has been posted to a public area for this issue. This could allow attackers to cause a denial of service or execute code in the context of the user running the browser. Some mitigating factors taken from the original advisory:

” Mitigating Factors: For BrightStor ARCserve Backup for Laptops &
Desktops, only the server installation is affected. Client
installations are not affected. For CA Desktop Management Suite,
Unicenter Desktop Management Bundle, Unicenter Asset Management,
Unicenter Software Delivery and Unicenter Remote Control, only the
Managers and DSM Explorers are affected. Scalability Servers and
Agents are not affected.”

CA has posted an update for the affected software.

VMWare has issued an update for VMWare ESX. This update fixes a vulnerability that could cause a denial of service. Users/Administrators should apply ESX 2.5.5 Upgrade Patch 6.

RealPlayer Active Exploitation, MaxDB, others

Posted on March 11, 2008 by Nathan Grandbois

A vulnerability has been reported in RealPlayer. An activex control, rmoc3260.dll, is vulnerable to remote code execution. This can be exploited when a user browses to a malicious page, and will execute code in the context of the user running the application. SANS reports that this vulnerability is being actively exploited in the wild. If you have RealPlayer installed on your system, it is highly recommended that you update to the latest version, however there is no patch available for the issue. The only current work around is to disable the affected activex control.
Two vulnerabilities have been reported in SAP’s MaxDB. These vulnerabilities can be exploited remotely and could result in code execution under the context of the running user. SAP AG has addressed this vulnerability by releasing a new version of MaxDB. For more information, consult SAP note 1140135.
Multiple vulnerabilities have been reported for IBM Informix Dynamic Server. These vulnerabilities can be exploited to cause a buffer overflow. These vulnerabilities can be exploited remotely. There is not currently a patch available. For more information see CVE-2008-0727 and CVE-2008-0949.

WMWare ESX Multiple Vulns, Novell iPrint Remote Code

Posted on February 22, 2008 by Nathan Grandbois

VMWare ESX is vulnerable to multiple issues, including the bypassing of security restrictions, system compromise, denial of service, and the disclosure of sensitive information. Currently, VMWare ESX 2.x and 3.x are vulnerable. VMWare has released a patch for this issue, available from www.vmware.com.
Novell iPrint Client is vulnerable to remote exploitation. The vulnerability lies in the active control ienipp.ocx and can be exploited remotely to cause a stack based buffer overflow. This has been confirmed in version 4.26 and 4.32. Novell recommends all users update to version 4.34.

Oracle Prerelease Info, Tivoli Bof

Posted on January 9, 2008 by Nathan Grandbois

There’s a vulnerability in Oracle Siebel SimBuilder that could allow for remote system compromise. This vulnerability is related to a vulnerability in NCTAudioFile2.dll. The vulnerability affects version version 7.8.5 build 2635. Other version have not been tested so they may be vulnerable as well. Users should disable the affected ActiveX control. If you are affected by this and would like more information please feel free to contact us.
Tivoli Storage Manager Express is vulnerable to a heap based buffer overflow. This can be exploited by a malicious user on the network to cause code execution under the SYSTEM user. Versions of the software prior to 5.3.7.3 are affected. Administrators of this software should apply the updates available at ftp://service.boulder.ibm.com/storage/tivoli-storage-management/patches/express/NT/5.3.7.3/
Also, Oracle will be releasing critical patch updates Tuesday, January 15th. Several critical vulnerabilities in database software and application servers are expected to be announced. We will provide more details as they are made available.

MSI :: State of Security

Insight from the Information Security Experts

Tag Archives: activex