In association with heise online

08 May 2007, 10:34

Security vulnerability in ActiveX module from camera manufacturer Axis

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

US-CERT has reported a security vulnerability in an ActiveX module from surveillance camera manufacturer Axis, which can be exploited by attackers using crafted web pages to inject arbitrary code onto affected users' computers. The component originates from the camera software and is marked as "safe for scripting", meaning that web pages can load it in Internet Explorer. Users can download an updated version of the ActiveX module from the vendor's website.

The flawed CamImage / Axis Camera Control component is contained in the AxisCamControl.ocx file. The vulnerability can be exploited when the SaveBMP() function is called, and results in a buffer overflow. If an update is not possible at present, users should set the kill bit for the ClassID {917623D1-D8E5-11D2-BE8B-00104B06BDE3}.

The Month of ActiveX Bugs has also thrown up further security vulnerabilities in ActiveX components. These are, however, generally less well known and less widely distributed modules - ActSoft DVD-Tools (dvdtools.ocx, East Wind Software (advdaudio.ocx, Sienzo Digital Music Mentor (DSKernel2.dll) and Versalsoft HTTP File Uploader (UFileUploaderD.dll), in which a buffer overflow can occur. To date the vendors of the affected products are not offering updated, bug-fixed versions.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit