More ActiveX (Kaspersky AV & SolidWorks)

When it rains ActiveX, it pours ActiveX…As a quick aside, it turns out that the winner from yesterday's ActiveX grudge match was decidedly Yahoo Messenger, who went on to garner publicity on both the Secunia front page as well as the Washington Post security fix blog.

The winner of today's popularity contest is almost a forgone conclusion, as we once again pit a a true heavyweight against a relative unknown.

SolidWorks is the maker of 3D CAD software. Apparently, for some reason or another, it feels the need to take advantage of the rich feature set that our good friend ActiveX provides. Thus, there is currently a CERT vulnerability note about a flaw in the ActiveX. The flaw is in a function which runs programs based on user-controlled parameters. Thus this isn't exactly your standard takeover possibility, but it's only about one step removed. The issue currently has a patch, which is available here (note: .cab file) . I would of course be remiss if I didn't mention the obligatory killbit to be set if you can not, for whatever reason, patch this issue: AB6633A8-60A9-4F5D-B66C-ABE268CC3227. This issue has been assigned CVE-2007-1684.

Our other guest tonight is the rather famous Kaspersky AntiVirus. A duo of issues were released by iDefense today, but only this one is relevant. This too is not your average vanilla ActiveX stack-based buffer overflow. This one exploits a function called StartUploading() which (you guessed it) starts uploading a file from the user's computer via anonymous FTP. Thus, this is an information stealing attack, and this actually means that it's probably not as powerful as a normal ActiveX attack. Kaspersky has taken a rather laudable step in that it's fix is removing the vulnerable DLL (description here). This is good because less ActiveX means less attack surface. The killbit for this control is BA61606B-258C-4021-AD27-E07A3F3B91DB. There is no CVE for this issue at this time.