And… Even MORE ActiveX (Kaspersky, SignKorea, iPIX)

Ok, the Kaspersky one is a late update as Tipping point posted the advisory the day after iDefense posted theirs. The ZDI one is similar in that it also allows an attacker to upload files from the victim's computer, but it also mentions a method which can be used to delete files. The fix is the same for both of them though, as Kaspersky has opted to remove the offending ActiveX controls all-together. This issue has been assigned CVE-2007-1112.

It seems like just the other day that I was mentioning an ActiveX flaw in SignKorea. There is a new one which also is a "take over everything" stack overflow. Also the same caveats as before apply in that it is extremely non-obvious how to get the patched version, which is never a good thing. Also, the lack of a link to any originating advisory means there is no information on a CLSID which could be disabled if the software can't be patched. There is no CVE for this issue at this time.

Finally, rounding out our cavalcade of ActiveX friends, CERT has a new vulnerability note up about a buffer overflow in Internet Pictures Corporation's iPIX Image Well. iPIX apparently specializes in the rotating 3D images that one sees occasionally on websites for showing apartments and whatnot. The one on their site just uses Adobe Flash (and of course QuickTime has been doing this for ages), but apparently their special brand of it uses a DLL with ActiveX support. The interesting thing about this is that CERT is disclosing it because apparently Internet Pictures Corporation has filed for bankruptcy, and therefore a patch is almost certainly not forthcoming. Thus they give you the kill bits to set for this issue if you have iPIX software: {ef8d9f2a-f641-4ef0-b2ec-3ba2be7c2960} and {f7a05bac-9778-410a-9cde-bfbd4d5d2b7f}. This issue is assigned CVE-2007-1687.