ISSSource White Papers

Posts Tagged ‘ActiveX controls’

Friday, September 21, 2012 @ 05:09 PM gHale

Microsoft released an emergency security update for Internet Explorer that holds off a Zero Day vulnerability that attackers are jumping all over.

Earlier this week, the company released a Fix It tool to provide a temporary solution for users until a patch was ready. The Zero Day affects all versions of Internet Explorer (IE), except IE 10.

IE Zero Day Targeted Attacks
Microsoft Vows to Fix IE Bug
IE 10 gets Flash Fixes
Blackhole Updates Product Offering

“Today we released Security Update MS12-063 to address limited attacks against a small number of computers through a vulnerability in Internet Explorer versions 9 and earlier,” said Yunsun Wee, director, Microsoft Trustworthy Computing. “The majority of customers have automatic updates enabled and will not need to take any action because protections will be downloaded and installed automatically. For those manually updating, we encourage you to apply this update as quickly as possible.”

In addition to the Zero Day, the update also addresses four other privately-disclosed security issues in IE. None of those four vulnerabilities ended up exploited in the wild, Microsoft said. All four are remote code execution vulnerabilities.

In the case of the Zero Day, the vulnerability is due to the way Internet Explorer accesses a deleted object or one not properly allocated. As a result, the vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user, Microsoft said. Attackers can infect users, the company added, via a specially-crafted website designed to exploit the bug after convincing victims to view the site.

There are a number of mitigating factors for the Zero Day. By default, IE on Windows Server 2003, 2008 and 2008 R2 runs in a restricted mode that limits the threat posed by the vulnerability. In addition, all supported versions of Microsoft Outlook, Outlook Express and Windows Mail open HTML email messages in the Restricted sites zone, which reduces the risk in this case because it disables script and ActiveX controls.

In addition, anyone worried about attacks can deploy Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) and set Internet and local Internet security zone levels to high to block ActiveX controls and Active Scripting in both zones. In addition, users can also configure IE to prompt them before running Active Scripting or disable it outright.

The IE patch was not the only fix Microsoft pushed out today. The company also took aim at Adobe Flash Player vulnerabilities in the Internet Explorer 10 version included with Windows 8. Microsoft has opted to embed Flash Player in IE 10, meaning the company will be responsible for patching it for Windows 8 users.

Users can expect to see Microsoft coordinate the release of Flash Player patches with Adobe Systems, Wee said, adding sometimes updates may release outside of the normal Patch Tuesday schedule.

Wednesday, April 4, 2012 @ 06:04 PM gHale

There is a buffer overflow vulnerability in multiple components of the ABB WebWare Server application which has holes in the COM and scripting interfaces, according to a report from ICS-CERT.

After learning about the vulnerabilities from independent researchers Terry McCorkle and Billy Rios, ABB followed up with an investigation and discovered these components see use in multiple ABB legacy products.

Wonderware Fixes Security Holes
Rockwell Patches FactoryTalk
Ecava Patches IntegraXor Vulnerability
GE Patches Series of Vulnerabilities
Multiple Holes with xArrow

Because these are legacy products nearing the end of their life cycle, ABB does not intend to patch these vulnerable components.

The following ABB products suffer from the issue:
• WebWare Server: All versions of included Data Collector and Interlink
• WebWare SDK: All versions
• ABB Interlink Module: All versions
• S4 OPC Server: All versions
• QuickTeach: All versions
• RobotStudio S4: All versions
• RobotStudio Lite: All versions.

Successfully exploiting these vulnerabilities could lead to a denial-of-service for the application and privilege escalation or could allow an attacker to execute arbitrary code.

The legacy WebWare software products include a number of COM and ActiveX controls. These controls are together in the products to facilitate communications with the robot controller or the WebWare Server and may run as services on the PC. Other controls provide graphical elements for web pages and custom human-machine interfaces (HMIs).

The above products see use in several different roles in a factory environment. WebWare Server does data gathering and backup handling. WebWare SDK, ABB Interlink Module, and S4 OPC Server work in HMIs and communications to and from a robot controller. QuickTeach, RobotStudio S4, and RobotStudio Lite are PC tools for training, installation, and programming of a robot cell.

Multiple components of the ABB WebWare Server application contain a buffer overflow vulnerability, McCorkle and Rios said. The legacy PC products WebWare Server, WebWare SDK, and other legacy products that include parts of WebWare contain a number of COM and ActiveX components that contain vulnerabilities in the COM and scripting interfaces, ABB said.

The COM and ActiveX controls included in the software do not provide adequate checking of input data. A user or program could call one of the controls’ interfaces with specially crafted input data that can overflow the stack pointer or cause the control to stop execution. The ActiveX controls have been registered as scriptable, which means they can be included and scripted from remotely served web pages. CVE-2012-1801 is the number assigned to this vulnerability. ABB said there is a CVSS Overall Score of 7.7.

The vulnerability in these components is remotely exploitable, but there are no known exploits specifically target the components.

ABB said the WebWare Server and products listed above are legacy products nearing the end of their life cycle and no longer actively supported. Users of these products should go to the available documentation on mitigating risk and securing their machines and production environments. Because these are legacy products, ABB does not intend to patch these vulnerable components.

ABB did release a customer advisory.

In addition, ABB also released a whitepaper on WebWare Component security.

ABB said users should review those documents and implement the recommendations provided.

In addition, ABB customers using these products may contact their local ABB Robotics service organization. Questions or responses on cyber security go to:

Archived Entries