Recent ActiveX Vulnerabilities Roundup

Well, what was going to be a post about a couple limited Trend Micro ActiveX flaws from earlier in the week, which I didn't discuss due to other topics being higher priority, has grown today with the release of a couple more ActiveX problems in Symantec and VeriSign by iDefense.

First things first. Earlier in the week it was disclosed that there are multiple buffer overflows in an ActiveX control included with Trend Micro Client / Server / Messaging Security for SMB - 3.0, Client / Server / Messaging Security for SMB - 3.5, OfficeScan - 7.0, OfficeScan - 7.3, OfficeScan Corporate Edition - 6.5, and OfficeScan Corporate Edition - 5.58 (collectively CVE-2007-0325). In OfficeScan, however, the vulnerability is seemingly limited based on the fact that the ActiveX control is only cached when OfficeScan is "installed using web deployment" (I don't know exactly what that means or entails, hence the quotes, but I assume it means installed via some central distribution/management system that they offer in the corporate edition).

An overview page at Trend Micro can be found here. At this time, there are not fixes for OfficeScan 6.5 / 5.58 or Client / Server / Messaging Security 3.5 / 2.0, as they are scheduled for release on March 2nd. (So I guess this is a 0day in one sense of the word…a vulnerability is now public before a patch is available.)

Secondly, there is a new multi-vendor ActiveX vulnerability in tgctlsi.dll which is from SupportSoft (advisory here). This is reminiscent of another multi-vendor ActiveX vulnerability about a month ago which affected multiple applications which all included the same component. However, if you look at the SupportSoft advisory, you see that it was published back in August 2006 (and versions after that time were fixed). So why are we hearing about it now? Because the coordinated disclosure is now being done by iDefense, as this particular ActiveX component was shipped with Symantec's Automated Support Assistant, Norton AntiVirus 2006, Norton Internet Security 2006, and Norton System Works 2006 (advisory here, CVE-2006-6490). The SupportSoft update seems to be fixing 3 controls (two of which were mentioned in the Symantec advisory) even though it only tells you to search for one control on the SupportSoft update page. (Maybe because that component will always be there but others are optional?)

This one is a little confusing to me though. The ActiveX control was fixed in August (though apparently Symantec didn't know about the vulnerability until iDefense notified them in October ???), and the Symantec advisory says "in November 2006, the vulnerable versions of these controls were disabled through LiveUpdate" so I'm not exactly sure why this is only being disclosed now, instead of November… To alert people who don't run LiveUpdate? In any case, as I mentioned, this is a multi-vendor vulnerability in SupportSoft software, however I can't find a list of other products which might have been affected (i.e. they don't seem to list clients for SupportSoft Products Versions 5.5, 5.6 and 6.X anywhere, and like I said they must not have notified their clients based on the timeline given in the iDefense advisory).

Finally there is an ActiveX vulnerability in a control from VeriSign, included in the Managed PKI, Secure Messaging for Microsoft Exchange, and Go Secure! products which is used in conjunction with Microsoft software in order to support 1024 bit encryption. This looks like a really silly security 101 stack-based buffer overflow when either of 2 function parameters are > 28 bytes. The iDefense advisory is here and the VeriSign advisory/patch instructions are here. There is no CVE for this vulnerability at the time of writing.

You gotta love timeline inconsistencies though…According to the iDefense advisory, the vendor was notified on 12/22 and responded *back in time* on 12/20!!! ;). Also, the VeriSign advisory itself says it was posted 2/14 and the advisories page says 2/20, while the advisory lists 2/27 (4 days from now) for "VeriSign updates the Remote Hosting site kit for Remote Hosting customers"…so…is this a 0 day for those customers then? Who knows!? When VeriSign apparently has a time machine, anything is possible! And yes, I am that nerd that points out continuity errors in The Simpsons, thanks for asking.