Secunia CSI 5.0
Overview
Advisories
Research
Forums
Create Profile
Our Commitment
Database
Search
Advisories by Product
Advisories by Vendor
Terminology
Report Vulnerability
Insecure Library Loading

Vulnerability Report: Data Dynamics ActiveBar 1.x
This vulnerability report for Data Dynamics ActiveBar 1.x contains a complete overview of all Secunia advisories affecting it. You can use this vulnerability report to ensure that you are aware of all vulnerabilities, both patched and unpatched, affecting this product allowing you to take the necessary precautions.

If you have information about a new or an existing vulnerability in Data Dynamics ActiveBar 1.x then you are more than welcome to contact us.


Table of Contents

1. Product Summary Only

2. Secunia Advisory Statistics (All time)
2.1. Statistics for 2012
2.2. Statistics for 2011
2.3. Statistics for 2010
2.4. Statistics for 2009
2.5. Statistics for 2008
2.6. Statistics for 2007
2.7. Statistics for 2006
2.8. Statistics for 2005
2.9. Statistics for 2004
2.10. Statistics for 2003

3. List of Secunia Advisories (All time)
3.1. List for 2012
3.2. List for 2011
3.3. List for 2010
3.4. List for 2009
3.5. List for 2008
3.6. List for 2007
3.7. List for 2006
3.8. List for 2005
3.9. List for 2004
3.10. List for 2003

4. Send Feedback
 
Vendor, Links, and Unpatched Vulnerabilities

Vendor Data Dynamics, Ltd.

Product Link View Here (Link to external site)

Affected By 2 Secunia advisories
4 Vulnerabilities

Monitor Product Receive alerts for this product

Unpatched 100% (2 of 2 Secunia advisories)

Most Critical Unpatched
The most severe unpatched Secunia advisory affecting Data Dynamics ActiveBar 1.x, with all vendor patches applied, is rated Highly critical .




Discuss this Product
A new thread in our forum is automatically created for each Product. Activate the thread by commenting/discussing below.
Subject: Data Dynamics ActiveBar 1.x 
User Message
MadMonk RE: Data Dynamics ActiveBar 1.x
Member 13th May, 2011 00:00
Score: 3
Posts: 13
User Since: 13th Jul 2008
System Score: 99%
Location: US
Last edited on 13th May, 2011 00:00		 In my case this file was installed by Legacy Family Tree Software. They dispute the vulnerability finding (http://www.mail-archive.com/legacyusergroup@legacyusers.com/ msg11651.html).
Was this reply relevant?
+3
-1
Ah-unzatxu RE: Data Dynamics ActiveBar 1.x
Member 20th Apr, 2012 14:55
Score: 0
Posts: 5
User Since: 20th Apr 2012
System Score: N/A
Location: ES
 Legacy is not the only one. IBM SPSS's Sample Power 3, also use the Dynamics ActiveBar in both versións: 1.x and 2.x
By now, I delete the two files (and onsecuently, disabled the program). No one -neither here at Secunia or in IBM service page- report the issue by now ¿anyone knows the registry key to kill bit the ActiveX entry for this?
Thanks in advance...
Was this reply relevant?
+0
-0
Maurice Joyce RE: Data Dynamics ActiveBar 1.x
Handling Contributor 20th Apr, 2012 15:31
Score: 8623
Posts: 6,658
User Since: 4th Jan 2009
System Score: 100%
Location: UK
 What path do Secunia give U?


FINDING A FILE PATH USING PSI VERSION 2

From the DASHBOARD page click on SCAN RESULTS.

1. This will list all your programmes with a + to the left of each programme.
2. Click the + sign next to the item that U want help with.
3. This will reveal the path under DETECTED INSTANCES.
4. Below DETECTED INSTANCES you will see this You can double click this row for additional information & options>double click it>a box will appear>look to the RIGHT & U will see TROUBLESHOOT REPORT in BLUE writing under the heading TOOLBOX> click TroubleShoot Report & it will reveal some information in a box>highlight the information revealed from ---START--- to ---END--- & copy it (CTRL+C) then post it to the Forum (CTRL+V)

As an EXAMPLE the end result U post to the Forum should look something like this:
---START---

Program Name:
Adobe Flash Player 11.x

Security State:
Patched

Download Link:
http://fpdownload.adobe.com/get/flashplayer/curren...

Instances Found:
C:\Windows\SysWOW64\Macromed\Flash\Flash32_11_2_20 2_228.ocx, version: 11.2.202.228 (ActiveX)

Last System Scan (localtime):
3. Apr 2012, 09:25

Operating System:
Microsoft Windows 7

---END---


Update 15 09:31 04/04/2012

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE9
16GB RAM
Was this reply relevant?
+0
-0
Ah-unzatxu RE: Data Dynamics ActiveBar 1.x
Member 23rd Apr, 2012 13:34
Score: 0
Posts: 5
User Since: 20th Apr 2012
System Score: N/A
Location: ES
 Thanks for your response.

After IBM SPSS SamplePower repair install, Secunia detects these two entries, with the message "Programs that need updating":

1) Program name: Data Dynamics ActiveBar 1.0.6.4
File location: c:\WindowsªSysWOW64
File: ACTBAR.OCX, ActiveX control, 353 KB

2) Program name: Data Dynamics ActiveBar 2.5.2.121
File location: c:\WindowsªSysWOW64
File: ACTBAR2.OCX, ActiveX control (.OCX), 814 KB

Operating System:
Windows 7 Home Premium SP1, 64 bit
Asus Intel(R) Core(TM) i7 CPU Q 720 @ 1.60GHz
IE9, Firefox 11.0 & Opera 11.62
4GB RAM

Secunia Beta version 3, do not show the download link, just said: "We are sorry, but the update for this program failed.To help us diagnose and fix the problem, please send us your scan data and provide an email address so we can contact you if we need to"

I put the email address, and send it...
Was this reply relevant?
+0
-0
Ah-unzatxu RE: Data Dynamics ActiveBar 1.x
Member 23rd Apr, 2012 15:56
Score: 0
Posts: 5
User Since: 20th Apr 2012
System Score: N/A
Location: ES
 Ok, I go back to the regular Secunia versión, and get the info as you suggest:

"Some programs can be difficult to update for various reasons, the following window contains information that can be used to troubleshoot why it is difficult to update this specific program on your PC.
If you still can't solve the problem after investigating the data in this report, we recommend that you copy and paste the content from "---START---" to "---END---" into a new thread in our Secunia Community Forum where tousands of users are ready to help you."

For the first one:

---START---
Program Name:
Data Dynamics ActiveBar 1.x
Security State:
End-of-Life
Download Link:
Instances Found:
C:\Windows\SysWOW64\ACTBAR.OCX, version: 1.0.6.4
Last System Scan (localtime):
20. Apr 2012, 13:12
Operating System:
Microsoft Windows 7, Microsoft Windows 7
---END---"

The second one:

---START---
Program Name:
Data Dynamics ActiveBar 2.x
Security State:
End-of-Life
Download Link:
Instances Found:
C:\Windows\SysWOW64\ACTBAR2.OCX, version: 2.5.2.121
Last System Scan (localtime):
20. Apr 2012, 13:12
Operating System:
Microsoft Windows 7, Microsoft Windows 7
---END---"

I hope, this info can be useful.
Thanks again.
Was this reply relevant?
+0
-0
Maurice Joyce RE: Data Dynamics ActiveBar 1.x
Handling Contributor 23rd Apr, 2012 18:30
Score: 8623
Posts: 6,658
User Since: 4th Jan 2009
System Score: 100%
Location: UK
Last edited on 23rd Apr, 2012 19:17		 Those two files are not vulnerable just End of Life therefore U are secure.

As long as U remain mindful of their status just create an ignore rule until the vendor (IBM SPSS's Sample Power 3) produces an updated version.

PROGRAMME EXCLUSION RULE

Open PSI>Scan results>expand any programme by clicking the "+" to the left of the programme entry.
This will reveal DETECTED INSTANCES and below it two Yellow Folders. Click the folder with the RED dot which will create an Ignore Rule for that item.

EDIT:
Does IBM SPSS's Sample Power 3 show as an up to date programme in the PSI Scan Results page?


--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE9
16GB RAM
Was this reply relevant?
+1
-0
Ah-unzatxu RE: Data Dynamics ActiveBar 1.x
Member 23rd Apr, 2012 20:06
Score: 0
Posts: 5
User Since: 20th Apr 2012
System Score: N/A
Location: ES
 I am a little bit confused, the Secunia Advisories SA43474 & SA26098 for Data Dynamics ActiveBar 1.x and 2.x rated them as highly critical, and says:

SA43474 Description:
Parvez Anwar has discovered a vulnerability in Data Dynamics ActiveBar ActiveX Control, which can be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to an error when handling the "SetLayoutData()" method and can be exploited to perform a virtual function call into an arbitrary memory location via a specially crafted "Data" argument.
Successful exploitation allows execution of arbitrary code.
The vulnerability is confirmed in version 1.0.6.5. Other versions may also be affected.
Solution
The product has been discontinued. Set the kill-bit for the affected ActiveX control.

SA26098 Description:
shinnai has discovered some vulnerabilities in Data Dynamics ActiveBar, which can be exploited by malicious people to overwrite arbitrary files.
The vulnerabilities are caused due to the ActiveX control (actbar.ocx/Actbar2.ocx/Actbar3.ocx) providing the insecure "Save()", "SaveLayoutChanges()", and "SaveMenuUsageData()" methods. These can be exploited to overwrite and corrupt arbitrary files on the system in the context of the currently logged-on user.
The vulnerabilities are confirmed in versions 1.0.6.5, 2.5.0.65, 3.1.0.156, and 3.2.0.174. Other versions may also be affected.
Solution
Set the kill-bit for the affected ActiveX control.

That is why I asked about the related Active-X registry line for the recommended kill-bit procedure. The registry change proposed is tricky so, by now, I disabled the files meanwhile the program is upgraded.
Thanks again.
Was this reply relevant?
+0
-0
Maurice Joyce RE: Data Dynamics ActiveBar 1.x
Handling Contributor 23rd Apr, 2012 21:13
Score: 8623
Posts: 6,658
User Since: 4th Jan 2009
System Score: 100%
Location: UK
 Thank U for the update. U have not answered this:

Does IBM SPSS's Sample Power 3 show as an up to date programme in the PSI Scan Results page?

Is it showing in any PSI results?

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE9
16GB RAM
Was this reply relevant?
+0
-0
Ah-unzatxu RE: Data Dynamics ActiveBar 1.x
Member 23rd Apr, 2012 22:38
Score: 0
Posts: 5
User Since: 20th Apr 2012
System Score: N/A
Location: ES
 I look for the program because of your question and I could not find the SPSS stats programs package (SPSS Statistics, SamplePower & Visualization Designer) in the Secunia scan results list. Therefore, I suggested them, but it will take some time before it happens. Instead, I have applied all the patch and updates available at the IBM service page (thanks to the Secunia help message about Java and the Dynamic Active Bar security problems).
I will post the news when they arrive...
Was this reply relevant?
+0
-0
Maurice Joyce RE: Data Dynamics ActiveBar 1.x
Handling Contributor 23rd Apr, 2012 23:01
Score: 8623
Posts: 6,658
User Since: 4th Jan 2009
System Score: 100%
Location: UK
Last edited on 23rd Apr, 2012 23:48		 Thank U. I would suggest Secunia are currently identifying your programme by those two files rather than the exe file which could lead to a false positive.

Your programme is SECURE & is already on their database here:
http://secunia.com/advisories/product/39434/

I have been dealing with Secunia on & off the Forum with numerous similar issues to yours. I will write to them tonight to get total clarification for U.

@MadMonk.

It is not the same for U. The vulnerability affecting Legacy Family Tree is precise here:

http://secunia.com/advisories/44456/

The vulnerability is this file embedded (bundled) in your programme.The vulnerabilities are confirmed in version 7.5.0.77 bundling ActBar.ocx version 1.0.6.5.

I personally would not accept the vendors alleged position that version 7.5 is secure.

I would invite them to this Forum to make a statement to that effect so that the Secunia Experts can re-examine the proof data they submit.

EDIT: Email sent 2245 hour BST.

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE9
16GB RAM
Was this reply relevant?
+2
-0
Maurice Joyce RE: Data Dynamics ActiveBar 1.x
Handling Contributor 26th Apr, 2012 17:50
Score: 8623
Posts: 6,658
User Since: 4th Jan 2009
System Score: 100%
Location: UK
 @Ah-unzatxu

This thread got lost amongst the "spammers attacks" which thankfully have been removed.

Has your problem been resolved? I received a rapid reply from my email to Secunia Support stating they had received your programme suggestion & were working on providing an answer on whether,in your case,it was a false positive as I suggested.



--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE9
16GB RAM
Was this reply relevant?
+1
-0

-

You must be logged in to post a comment.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Factsheets
Reports & Papers
Webinars
Events
 About us
Careers
Memberships
Newsroom
 
© 2002-2012 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability