Wiki Navigation

AOL SuperBuddy ActiveX Flaw

It seems quite mundane to be reporting on YAAXF (Yet Another ActiveX Flaw) when there is a 0-day for Windows floating around right now, but such is life. Another day, another ActiveX problem, another way for people to be exploited by browsing the web…

CVE-2006-5820 (here's the advisory until the CVE page gets updated) covers a flaw in an ActiveX component which comes with America Online 9.0 Security Edition. While the update will be applied when a user logs in to AOL, the advisory makes a good point in that the software is shipped on many systems, and people are not necessarily AOL users and that is the only way to get the patch. Since it is the nature of ActiveX that a website can request functionality from any ActiveX control which is there, this is somewhat unfortunate as it leaves many other people vulnerable. The workaround is of course to set the killbit on CLSID

 189504B8-50D1-4AA8-B4D6-95C8F58A6414

but the likelihood of any home users ever doing that is nil. Thus, as the advisory gives a bit of detail about the exploit, and the exploitable population includes most Dell, HP, and other big PC vendor users, this one actually has the potential to be weaponized.

Download in other formats:

Plain Text