Hole in Creative ActiveX module
Security services provider eEye has discovered a security hole in an ActiveX auto-updater module that is installed by the software supplied with many Creative devices. The hole enables attackers to inject malicious code. eEye warns that exploit code is publicly available.
The AutoUpdate Engine is provided by the file CTSUEng.ocx
. On installation, the Safe For Scripting
and Safe For Initialization
flags are set, allowing the ActiveX module to connect with web sites in Internet Explorer. According to eEye, a stack buffer overflow can occur if crafted values for the CacheFolder
are processed.
No update is yet available from Creative. Users can protect themselves by completely disabling the execution of ActiveX in the internet zone – given the great number of security holes in a variety of ActiveX modules, this is a good general policy. Alternatively you can set the kill bit for the ClassID {0A5FD7C5-A45C-49FC-ADB5-9952547D5715}
. David Maynor has extended his AxBan tool so that it can set the kill bit for the Creative ActiveX module. In response to many requests, Maynor has also included functionality that allows a user to unset the kill bit again.
See also:
- Creative Software AutoUpdate Engine ActiveX stack buffer overflow, security advisory from eEye
- Creative Software AutoUpdate Engine ActiveX stack buffer overflow, failure report from US-CERT
- Zer0Day Creative Software AutoUpdate Engine ActiveX Stack-Overflow (CacheFolder) Exploit from BitKrush in the milw0rm archive
- New AxBan: 1.0.0.4, blog entry by David Maynor
(mba)