|
 |
|
Sony CD First4Internet XCP Uninstallation ActiveX Control Vulnerability
|
|
|
|
|
Secunia Advisory:
|
SA17610
|
|
|
Release Date:
|
2005-11-16
|
|
Last Update:
|
2005-11-17
|
|
|
Critical:
|
Highly critical
|
|
Impact:
|
System access
|
|
Where:
|
From remote
|
|
Solution Status:
|
Unpatched
|
|
| Software: | First4Internet XCP Content Management
|
|
|
This advisory is currently marked as unpatched!
- Companies can be alerted when a patch is released! |
|
|
Description:
A vulnerability has been reported in First4Internet XCP's uninstallation ActiveX control, which potentially can be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to the "CodeSupport.ocx" ActiveX control that is installed via Internet Explorer when the user un-installs the XCP DRM software by visiting the vendor's website. The ActiveX control is marked safe-for-scripting and supports several potentially dangerous methods like "RebootMachine", "InstallUpdate", and "IsAdministrator". This may be exploited to install arbitrary code on the user's system.
Successful exploitation requires that the user visits a malicious website.
The vulnerability is related to:
SA17408
Solution:
Remove the ActiveX control from the system if it is installed.
Provided and/or discovered by:
Muzzy, J. Alex Halderman, and Ed Felten.
Changelog:
2005-11-17: Added link to US-CERT vulnerability note.
Original Advisory:
http://www.freedom-to-tinker.com/?p=927
http://hack.fi/~muzzy/sony-drm/
Other References:
SA17408:
http://secunia.com/advisories/17408/
US-CERT VU#312073:
http://www.kb.cert.org/vuls/id/312073
|
|
|
|
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
|
|
|
1 Related Secunia Security Advisories
|
|
|
1. Sony CD First4Internet XCP DRM Software Security Issue
|
|
|
Send Feedback to Secunia
|
|
If you have new information regarding this Secunia advisory or a product in our database, please send it to us using either our web form or email us at vuln@secunia.com.
Ideas, suggestions, and other feedback are most welcome.
|
|
|
|
|
|
Secunia PSI
Scan | Patch | Track
Free Download
|
|
|
Secunia Poll
|
|
|
|
|
 |
|
|
Most Popular Advisories
|
|
|
|
|
|
