Advisories
Research
Forums
Create Profile
Our Commitment
Database
Search
Advisories by Product
Advisories by Vendor
Terminology
Report Vulnerability
Insecure Library Loading

Vulnerability Report: Data Dynamics ActiveBar 1.x

This vulnerability report for Data Dynamics ActiveBar 1.x contains a complete overview of all Secunia advisories affecting it. You can use this vulnerability report to ensure that you are aware of all vulnerabilities, both patched and unpatched, affecting this product allowing you to take the necessary precautions.

If you have information about a new or an existing vulnerability in Data Dynamics ActiveBar 1.x then you are more than welcome to contact us.


Table of Contents

1. Product Summary Only

2. Secunia Advisory Statistics (All time)
2.1. Statistics for 2014
2.2. Statistics for 2013
2.3. Statistics for 2012
2.4. Statistics for 2011
2.5. Statistics for 2010
2.6. Statistics for 2009
2.7. Statistics for 2008
2.8. Statistics for 2007
2.9. Statistics for 2006
2.10. Statistics for 2005
2.11. Statistics for 2004
2.12. Statistics for 2003

3. List of Secunia Advisories (All time)
3.1. List for 2014
3.2. List for 2013
3.3. List for 2012
3.4. List for 2011
3.5. List for 2010
3.6. List for 2009
3.7. List for 2008
3.8. List for 2007
3.9. List for 2006
3.10. List for 2005
3.11. List for 2004
3.12. List for 2003

4. Send Feedback
 
Vendor, Links, and Unpatched Vulnerabilities

Vendor Data Dynamics, Ltd.

Product Link View Here (Link to external site)

Affected By 2 Secunia advisories
4 Vulnerabilities

Monitor Product Receive alerts for this product

Unpatched 100% (2 of 2 Secunia advisories)

Most Critical Unpatched
The most severe unpatched Secunia advisory affecting Data Dynamics ActiveBar 1.x, with all vendor patches applied, is rated Highly critical .




Discuss this Product
A new thread in our forum is automatically created for each Product. Activate the thread by commenting/discussing below.
Subject: Data Dynamics ActiveBar 1.x 
User Message
This user no longer exists RE: Data Dynamics ActiveBar 1.x
Member 13th May, 2011 00:00
Last edited on 13th May, 2011 00:00 In my case this file was installed by Legacy Family Tree Software. They dispute the vulnerability finding (http://www.mail-archive.com/legacyusergroup@legacyusers.com/ msg11651.html).
Was this reply relevant?
+3
-1
Ah-unzatxu RE: Data Dynamics ActiveBar 1.x
Member 20th Apr, 2012 14:55
Score: 0
Posts: 5
User Since: 20th Apr 2012
System Score: N/A
Location: ES
Legacy is not the only one. IBM SPSS's Sample Power 3, also use the Dynamics ActiveBar in both versións: 1.x and 2.x
By now, I delete the two files (and onsecuently, disabled the program). No one -neither here at Secunia or in IBM service page- report the issue by now ¿anyone knows the registry key to kill bit the ActiveX entry for this?
Thanks in advance...
Was this reply relevant?
+0
-0
Maurice Joyce RE: Data Dynamics ActiveBar 1.x
Handling Contributor 20th Apr, 2012 15:31
Score: 11743
Posts: 9,000
User Since: 4th Jan 2009
System Score: N/A
Location: UK
What path do Secunia give U?


FINDING A FILE PATH USING PSI VERSION 2

From the DASHBOARD page click on SCAN RESULTS.

1. This will list all your programmes with a + to the left of each programme.
2. Click the + sign next to the item that U want help with.
3. This will reveal the path under DETECTED INSTANCES.
4. Below DETECTED INSTANCES you will see this You can double click this row for additional information & options>double click it>a box will appear>look to the RIGHT & U will see TROUBLESHOOT REPORT in BLUE writing under the heading TOOLBOX> click TroubleShoot Report & it will reveal some information in a box>highlight the information revealed from ---START--- to ---END--- & copy it (CTRL+C) then post it to the Forum (CTRL+V)

As an EXAMPLE the end result U post to the Forum should look something like this:
---START---

Program Name:
Adobe Flash Player 11.x

Security State:
Patched

Download Link:
http://fpdownload.adobe.com/get/flashplayer/curren...

Instances Found:
C:\Windows\SysWOW64\Macromed\Flash\Flash32_11_2_20 2_228.ocx, version: 11.2.202.228 (ActiveX)

Last System Scan (localtime):
3. Apr 2012, 09:25

Operating System:
Microsoft Windows 7

---END---


Update 15 09:31 04/04/2012

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
Ah-unzatxu RE: Data Dynamics ActiveBar 1.x
Member 23rd Apr, 2012 13:34
Score: 0
Posts: 5
User Since: 20th Apr 2012
System Score: N/A
Location: ES
Thanks for your response.

After IBM SPSS SamplePower repair install, Secunia detects these two entries, with the message "Programs that need updating":

1) Program name: Data Dynamics ActiveBar 1.0.6.4
File location: c:\WindowsªSysWOW64
File: ACTBAR.OCX, ActiveX control, 353 KB

2) Program name: Data Dynamics ActiveBar 2.5.2.121
File location: c:\WindowsªSysWOW64
File: ACTBAR2.OCX, ActiveX control (.OCX), 814 KB

Operating System:
Windows 7 Home Premium SP1, 64 bit
Asus Intel(R) Core(TM) i7 CPU Q 720 @ 1.60GHz
IE9, Firefox 11.0 & Opera 11.62
4GB RAM

Secunia Beta version 3, do not show the download link, just said: "We are sorry, but the update for this program failed.To help us diagnose and fix the problem, please send us your scan data and provide an email address so we can contact you if we need to"

I put the email address, and send it...
Was this reply relevant?
+0
-0
Ah-unzatxu RE: Data Dynamics ActiveBar 1.x
Member 23rd Apr, 2012 15:56
Score: 0
Posts: 5
User Since: 20th Apr 2012
System Score: N/A
Location: ES
Ok, I go back to the regular Secunia versión, and get the info as you suggest:

"Some programs can be difficult to update for various reasons, the following window contains information that can be used to troubleshoot why it is difficult to update this specific program on your PC.
If you still can't solve the problem after investigating the data in this report, we recommend that you copy and paste the content from "---START---" to "---END---" into a new thread in our Secunia Community Forum where tousands of users are ready to help you."

For the first one:

---START---
Program Name:
Data Dynamics ActiveBar 1.x
Security State:
End-of-Life
Download Link:
Instances Found:
C:\Windows\SysWOW64\ACTBAR.OCX, version: 1.0.6.4
Last System Scan (localtime):
20. Apr 2012, 13:12
Operating System:
Microsoft Windows 7, Microsoft Windows 7
---END---"

The second one:

---START---
Program Name:
Data Dynamics ActiveBar 2.x
Security State:
End-of-Life
Download Link:
Instances Found:
C:\Windows\SysWOW64\ACTBAR2.OCX, version: 2.5.2.121
Last System Scan (localtime):
20. Apr 2012, 13:12
Operating System:
Microsoft Windows 7, Microsoft Windows 7
---END---"

I hope, this info can be useful.
Thanks again.
Was this reply relevant?
+0
-0
Maurice Joyce RE: Data Dynamics ActiveBar 1.x
Handling Contributor 23rd Apr, 2012 18:30
Score: 11743
Posts: 9,000
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Last edited on 23rd Apr, 2012 19:17
Those two files are not vulnerable just End of Life therefore U are secure.

As long as U remain mindful of their status just create an ignore rule until the vendor (IBM SPSS's Sample Power 3) produces an updated version.

PROGRAMME EXCLUSION RULE

Open PSI>Scan results>expand any programme by clicking the "+" to the left of the programme entry.
This will reveal DETECTED INSTANCES and below it two Yellow Folders. Click the folder with the RED dot which will create an Ignore Rule for that item.

EDIT:
Does IBM SPSS's Sample Power 3 show as an up to date programme in the PSI Scan Results page?



--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+1
-0
Ah-unzatxu RE: Data Dynamics ActiveBar 1.x
Member 23rd Apr, 2012 20:06
Score: 0
Posts: 5
User Since: 20th Apr 2012
System Score: N/A
Location: ES
I am a little bit confused, the Secunia Advisories SA43474 & SA26098 for Data Dynamics ActiveBar 1.x and 2.x rated them as highly critical, and says:

SA43474 Description:
Parvez Anwar has discovered a vulnerability in Data Dynamics ActiveBar ActiveX Control, which can be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to an error when handling the "SetLayoutData()" method and can be exploited to perform a virtual function call into an arbitrary memory location via a specially crafted "Data" argument.
Successful exploitation allows execution of arbitrary code.
The vulnerability is confirmed in version 1.0.6.5. Other versions may also be affected.
Solution
The product has been discontinued. Set the kill-bit for the affected ActiveX control.

SA26098 Description:
shinnai has discovered some vulnerabilities in Data Dynamics ActiveBar, which can be exploited by malicious people to overwrite arbitrary files.
The vulnerabilities are caused due to the ActiveX control (actbar.ocx/Actbar2.ocx/Actbar3.ocx) providing the insecure "Save()", "SaveLayoutChanges()", and "SaveMenuUsageData()" methods. These can be exploited to overwrite and corrupt arbitrary files on the system in the context of the currently logged-on user.
The vulnerabilities are confirmed in versions 1.0.6.5, 2.5.0.65, 3.1.0.156, and 3.2.0.174. Other versions may also be affected.
Solution
Set the kill-bit for the affected ActiveX control.

That is why I asked about the related Active-X registry line for the recommended kill-bit procedure. The registry change proposed is tricky so, by now, I disabled the files meanwhile the program is upgraded.
Thanks again.
Was this reply relevant?
+0
-0
Maurice Joyce RE: Data Dynamics ActiveBar 1.x
Handling Contributor 23rd Apr, 2012 21:13
Score: 11743
Posts: 9,000
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Thank U for the update. U have not answered this:

Does IBM SPSS's Sample Power 3 show as an up to date programme in the PSI Scan Results page?

Is it showing in any PSI results?

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
Ah-unzatxu RE: Data Dynamics ActiveBar 1.x
Member 23rd Apr, 2012 22:38
Score: 0
Posts: 5
User Since: 20th Apr 2012
System Score: N/A
Location: ES
I look for the program because of your question and I could not find the SPSS stats programs package (SPSS Statistics, SamplePower & Visualization Designer) in the Secunia scan results list. Therefore, I suggested them, but it will take some time before it happens. Instead, I have applied all the patch and updates available at the IBM service page (thanks to the Secunia help message about Java and the Dynamic Active Bar security problems).
I will post the news when they arrive...
Was this reply relevant?
+0
-0
Maurice Joyce RE: Data Dynamics ActiveBar 1.x
Handling Contributor 23rd Apr, 2012 23:01
Score: 11743
Posts: 9,000
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Last edited on 23rd Apr, 2012 23:48
Thank U. I would suggest Secunia are currently identifying your programme by those two files rather than the exe file which could lead to a false positive.

Your programme is SECURE & is already on their database here:
http://secunia.com/advisories/product/39434/

I have been dealing with Secunia on & off the Forum with numerous similar issues to yours. I will write to them tonight to get total clarification for U.

@MadMonk.

It is not the same for U. The vulnerability affecting Legacy Family Tree is precise here:

http://secunia.com/advisories/44456/

The vulnerability is this file embedded (bundled) in your programme.The vulnerabilities are confirmed in version 7.5.0.77 bundling ActBar.ocx version 1.0.6.5.

I personally would not accept the vendors alleged position that version 7.5 is secure.

I would invite them to this Forum to make a statement to that effect so that the Secunia Experts can re-examine the proof data they submit.

EDIT: Email sent 2245 hour BST.

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+2
-0
Maurice Joyce RE: Data Dynamics ActiveBar 1.x
Handling Contributor 26th Apr, 2012 17:50
Score: 11743
Posts: 9,000
User Since: 4th Jan 2009
System Score: N/A
Location: UK
@Ah-unzatxu

This thread got lost amongst the "spammers attacks" which thankfully have been removed.

Has your problem been resolved? I received a rapid reply from my email to Secunia Support stating they had received your programme suggestion & were working on providing an answer on whether,in your case,it was a false positive as I suggested.



--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+1
-1
Moonwink RE: Data Dynamics ActiveBar 1.x
Member 31st Aug, 2013 20:21
Score: 1
Posts: 14
User Since: 26th Nov 2009
System Score: N/A
Location: US
I just installed the latest version of Legacy Family Tree and saw PSI flag it as a danger. I see this has been an issue for some time. I thought I'd resolved the problem by renaming ActBar.ocx to ActBar.ocx.$$$. But, I found out Legacy won't start without it. I see no option but to leave this file on my system if I want to keep using Legacy and set PSI to ignore this problem.

What's the best advice after all this time?

Was this reply relevant?
+0
-0
E.Jeppesen RE: Data Dynamics ActiveBar 1.x
Secunia Official 2nd Sep, 2013 10:53
Score: 220
Posts: 618
User Since: 24th Nov 2008
System Score: N/A
Location: Copenhagen, DK
@Moonwink
Basically, when a vulnerability is unpatched, thereby preventing you from updating to a patched version, you can either uninstall the program, replace it with a similar program, or run the risk of leaving it installed.

However, I would very much like to make sure what you experience is not a misdetection. So before providing any further advice, would you mind sending us a software suggestion for the file that is detected as vulnerable?

Our FAQ describes how to send a software suggestion:
http://secunia.com/vulnerability_scanning/personal...
Please make a comment in the software suggestion with a link to this thread.
Moonwink RE: Data Dynamics ActiveBar 1.x
Member 2nd Sep, 2013 15:17
Score: 1
Posts: 14
User Since: 26th Nov 2009
System Score: N/A
Location: US
I'm not really following you - "software suggestion"? Secunia PSI is detecting "ActBar.ocx" as a problem. It was installed along with the free version of Legacy Family Tree Maker (http://legacyfamilytree.com/DownloadLegacy.asp) which I've been using for years to maintain my genealogy records. I upgraded my PC and reinstalled PSI and Legacy when the problem occurred. I searched for information on how to handle this problem and ended up with this topic where it's been reported (see Maurice Joyce' reply above) but I don't see any solution listed.

I've asked Legacy to respond with their side of the story and provided them the link to this topic. I will post any other information they provide.
Was this reply relevant?
+0
-0
Maurice Joyce RE: Data Dynamics ActiveBar 1.x
Handling Contributor 2nd Sep, 2013 18:01
Score: 11743
Posts: 9,000
User Since: 4th Jan 2009
System Score: N/A
Location: UK
This is what Secunia Support are requesting to check whether the embedded ocx file is vulnerable or not (sometimes when they are bundled there is no security impact).

SUGGESTING A NEW PROGRAMME TO SECUNIA

Secunia do not accept programmes versions in ALPHA(Includes Google Canary/Dev & Mozilla Aurora) or BETA.

PSI Version 3
1. Open PSI>show programmes - U should see all your programmes listed by an icon or list presentation.
2. Click Add Program (top right of page)
3. Fill out the details requested & click Send Data.

PSI Version 2

1. From the DASHBOARD page click on RESULTS.
2. On the RESULTS page look above the tab INSTALL SOLUTION & U will see a green icon & ARE YOU MISSING A PROGRAM?
3. Click it. Fill out the details requested.
4. Click SUGGEST SOFTWARE.

PSI Version 1

1. Open the PATCHED or SECURE BROWSING tab.
2. Scroll to the bottom where U will see a link in blue ink "Program Missing? Suggest It Here!"
3. Click the link & then fill out the details in the boxes that appear(the important bit is the FILE SELECTION).
4. Click Suggest Program.

If requested,Secunia respond by email that the programme has been added to their database. A full PSI scan should reveal it.

Last Reviewed 16:55 02/09/2013




--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
Moonwink RE: Data Dynamics ActiveBar 1.x
Member 2nd Sep, 2013 19:32
Score: 1
Posts: 14
User Since: 26th Nov 2009
System Score: N/A
Location: US
When click the suggest software button, I get a message that "No version number was available the specified file. Please locate the main .exe or .dll for the program and try again". I tried first finding the .exe for Legacy and then ActBar.ocx. I have no idea what PSI is looking for here but it won't accept my submission of a software suggestion.
Was this reply relevant?
+0
-0
Maurice Joyce RE: Data Dynamics ActiveBar 1.x
Handling Contributor 2nd Sep, 2013 22:01
Score: 11743
Posts: 9,000
User Since: 4th Jan 2009
System Score: N/A
Location: UK
I have downloaded the programme & sent the details requested to Secunia Support for you.

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
E.Jeppesen RE: Data Dynamics ActiveBar 1.x
Secunia Official 3rd Sep, 2013 13:26
Score: 220
Posts: 618
User Since: 24th Nov 2008
System Score: N/A
Location: Copenhagen, DK
Thank you Maurice for the software suggestion.

I can now confirm that Data Dynamics ActiveBar 1.x is correctly detected and it is indeed both end-of-life and vulnerable.

In many cases where a vulnerable program is bundled with another program, the vulnerable program does not pose any serious risk. In this case however the bundled Data Dynamics ActiveBar 1.x is installed into its default installation path and the vulnerability is possible to exploit.

Options:
* Uninstall Legacy Family Tree 7.x to remove the vulnerability.
* Set the kill-bit as mentioned in our advisory. However, there is a risk that this will make Legacy Family Tree unfunctional.
* Contact the support for Legacy Family Tree and ask for their assistance.
* Accept the risk of the vulnerability and create an ignore rule in the PSI.
Moonwink RE: Data Dynamics ActiveBar 1.x
Member 3rd Sep, 2013 21:55
Score: 1
Posts: 14
User Since: 26th Nov 2009
System Score: N/A
Location: US
The reply from Legacy:

Secunia Personal Software Inspector (PSI) does flag Actbar.OCX an old file; however Legacy still uses it. If you delete it Legacy won't work any longer and it will have to be reinstalled. Actbar.OCX is actually a low security risk. We will be replacing Actbar.OCX with the next version when we release Legacy Family Tree 8.0 in a few months.

Sincerely,

Jim
Technical Support
Legacy Family Tree
Was this reply relevant?
+0
-0
Maurice Joyce RE: Data Dynamics ActiveBar 1.x
Handling Contributor 4th Sep, 2013 00:12
Score: 11743
Posts: 9,000
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Last edited on 4th Sep, 2013 10:40
I think you are being given the runaround by Legacy.

They were in denial in the first instance.

https://1ncuig.bn1.livefilestore.com/y2pOT7RxWrZAH...

They were notified by a member of this Forum that they were still using a HIGHLY CRITICAL vulnerability in 2011 & promised a fix. They have done nothing by the look of it.


This 2011 thread gives details of contact with Legacy & their promise to fix it.

https://secunia.com/community/forum/thread/show/10...

1.I would ask them why after 2 years they have done nothing particularly if you are paying them.

2. Why they have reassessed it has LOW RISK. At least IBM took the threat seriously as can be seen here:

https://www-304.ibm.com/support/docview.wss?uid=sw...

3. Why are they using Data DynamicsActiveBar that was declared obsolete years ago & vulnerable in 2011 with Legacy Family Tree.

4. Exactly when are they releasing version 8 without this long outstanding vulnerability.



--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0

-

You must be logged in to post a comment.



 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability