Symantec Internet Security 2008 Vulnerable ActiveX

Posted on April 4, 2008 by Nathan Grandbois

There appears to be two vulnerable ActiveX controls in Symantec Internet Security 2008. The following ActiveX controls are vulnerable:

Progid: SymAData.ActiveDataInfo.1

Clsid: 3451DEDE-631F-421c-8127-FD793AFC6CC8

File: C:\PROGRA~1\COMMON~1\SYMANT~1\SUPPOR~1\SymAData.dll

Version: 2.7.0.1

  Clsid: 3451DEDE-631F-421c-8127-FD793AFC6CC8

  File: C:\PROGRA~1\COMMON~1\SYMANT~1\SUPPOR~1\SymAData.dll

  Version 2.7.0.1

These ActiveX are marked safe for scripting by Symantec. According to Symantec, although they are marked safe for scripting, they will only run from the “symantec.com” domain. Successful exploitation would require the use of XSS or DNS poisoning techniques, but could allow for complete control over a users system simply by viewing a malicious page. Symantec has issued updates to fix these vulnerabilities.

Quicktime and Opera Multiple Vulnerabilities

Posted on April 4, 2008 by Nathan Grandbois

Multiple vulnerabilities have been announced for Apple Quicktime. I counted 11 different vulnerabilities in the advisory, ranging in criticality from disclosure of personal information to buffer overflows. Apple has released an update, version 7.4.5, that fixes these vulnerabilities.

Opera versions prior to 9.27 are vulnerable to multiple issues. These vulnerabilities could allow for the execution of code on the local host. Users should update to version 9.27.

HP OpenView NNM 0day, lightthpd DoS

Posted on April 2, 2008 by Nathan Grandbois

An exploit has been published for HP OpenView Network Node Manager (NNM). This exploit is preauthentication and can be exploited remotely. From what I’ve read it looks to be exploited over the HTTP port of OpenView and is exploiting the OVAS.exe service. No references to updates or fixes were found. Users should restrict network access to machines running this software.

There’s a vulnerability in lightttpd that can be exploited to cause a denial of service. The issue exists in the SSL error queue where a single connection could be exploited to deny all other SSL connections. This has been fixed in the SVN repository, available at:

http://trac.lighttpd.net/trac/changeset/2136
http://trac.lighttpd.net/trac/changeset/2139

InstallShield ActiveX Vuln, WP-Download SQL Injection

Posted on April 1, 2008 by Nathan Grandbois

There’s a SQL injection in a the Wordress Download plugin. Data passed to wp-download.php is not properly sanitized before being processed by SQL. This could result in a SQL injection attack that could lead to the disclosure of usernames and passwords. WordPress admin’s should update to version 1.2.1.

There’s a major vulnerability in and activex control installed by Macrovision InstallShield InstallScript One-Click Install (OCI). The control gets installed via webpages prompting to install software. A large user base is likely affected by this. Basically, when the activex control is initiated it loads several DLL’s that are not sanity checked. These DLL’s could execute arbitrary code when loaded. This vulnerability has been confirmed in version 12.0. The following are the properties associated with the activex:

File: %WINDIR%\Downloaded Program Files\setup.exe

CLSID: 53D40FAA-4E21-459f-AA87-E4D97FC3245A

Macromedia has released a hotfix for this issue, available along with the KB entry for this vulnerability, at http://knowledge.macrovision.com/selfservice/microsites/search.do?cmd=displayKC&externalId=Q113640

CA Products ActiveX Vuln, VMWare Update Fixes DoS

Posted on March 31, 2008 by Nathan Grandbois

Multiple CA products containing the DSM ListCtrl ActiveX Control are vulnerable to buffer overflow. Exploit code has been posted to a public area for this issue. This could allow attackers to cause a denial of service or execute code in the context of the user running the browser. Some mitigating factors taken from the original advisory:

” Mitigating Factors: For BrightStor ARCserve Backup for Laptops &
Desktops, only the server installation is affected. Client
installations are not affected. For CA Desktop Management Suite,
Unicenter Desktop Management Bundle, Unicenter Asset Management,
Unicenter Software Delivery and Unicenter Remote Control, only the
Managers and DSM Explorers are affected. Scalability Servers and
Agents are not affected.”

CA has posted an update for the affected software.

VMWare has issued an update for VMWare ESX. This update fixes a vulnerability that could cause a denial of service. Users/Administrators should apply ESX 2.5.5 Upgrade Patch 6.

CiscoWorks Remote Command Shell?

Posted on March 14, 2008 by Nathan Grandbois

A vulnerability has been reported in CiscoWorks Internetwork Performance Monitor. The vulnerability appears to be the result of a command shell bound to a random port. The could be exploited to execute commands on the system. Cisco has released patch IPM version 2.6 CSCsj06260.

A cross site scripting vulnerability has been reported in Nagios. From the description, it appears to be a reflective XSS, but further information is unavailable at this time. We also do not have the input fields that are vulnerable. Versions prior to 2.11 are vulnerable. Please apply version 2.11 if you are running Nagios.

US-CERT Issues Warning for Excel Trojan

Posted on March 11, 2008 by Nathan Grandbois

The US-CERT has issued a warning in response to a Trojan actively exploiting MS08-014. First off, MS08-014 is for Microsoft Excel. The patch was released today that fixes critical vulnerabilities in MS Excel. These vulnerabilities could be exploited via a maliciously crafted Excel file to take complete control over a users system. Secondly, the Trojan they speak of is spreading through email with Excel attachments. The two attachment file names that US-CERT is aware of are OLYMPIC.xls and SCHEDULE.xls. These files may also contain Windows executables that can compromise an affected system. Patch now please.

RealPlayer Active Exploitation, MaxDB, others

Posted on March 11, 2008 by Nathan Grandbois

A vulnerability has been reported in RealPlayer. An activex control, rmoc3260.dll, is vulnerable to remote code execution. This can be exploited when a user browses to a malicious page, and will execute code in the context of the user running the application. SANS reports that this vulnerability is being actively exploited in the wild. If you have RealPlayer installed on your system, it is highly recommended that you update to the latest version, however there is no patch available for the issue. The only current work around is to disable the affected activex control.
Two vulnerabilities have been reported in SAP’s MaxDB. These vulnerabilities can be exploited remotely and could result in code execution under the context of the running user. SAP AG has addressed this vulnerability by releasing a new version of MaxDB. For more information, consult SAP note 1140135.
Multiple vulnerabilities have been reported for IBM Informix Dynamic Server. These vulnerabilities can be exploited to cause a buffer overflow. These vulnerabilities can be exploited remotely. There is not currently a patch available. For more information see CVE-2008-0727 and CVE-2008-0949.

Panda Dos

Posted on March 10, 2008 by Nathan Grandbois

Panda Antivirus and Firewall is vulnerable to a denial of service and system compromise. The kernel driver included with Panda Antivirus and Firewall 2008 does not handle IOCTL requests correctly. This can result in a local denial of service or execution of code on the local system. There is currently a hotfix available for this issue. If you, or anyone you know, runs Panda Antivirus give them a heads up to run the update utility.

Ruby on Rails Directory Traversal

Posted on March 7, 2008 by Nathan Grandbois

Ruby 1.8.6 (Webrick Httpd 1.3.1) is vulnerable to a directory traversal flaw. The Ruby on Rails web server, Webrick Httpd 1.3.1, is vulnerable to directory traversal on systems that accept the backslash as a path separator and on case insensitive systems. Patches for the 1.8 and 1.9 code branches are available.

MSI :: State of Security

Insight from the Information Security Experts

Author Archives: Nathan Grandbois