In association with heise online

29 April 2007, 12:29

Security vulnerability in IncrediMail

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

US-CERT has reported a security vulnerability in an ActiveX module installed by IncrediMail, which allows nefarious individuals to inject arbitrary code onto users' computers using manipulated web pages, emails, or HTML file attachments. IncrediMail, in contrast to other e-mail programs, includes numerous animations, emoticons and background images; this has has helped make it popular with kids and less puritanical computer users.

A buffer overflow can occur in the ActiveX module IMMenuShellExt. The ActiveX components are contained in the ImShExt.dll library and are marked as safe for scripting at installation, meaning that web pages can load them from within Internet Explorer. The DoWebMenuAction() method of the affected ActiveX components apparently fails properly to check the parameters passed to it, so that a buffer overflow can be created with prepared calls. US-CERT does not provide further details of the vulnerability.

The IMMenuShellExt ActiveX module's ClassID is {F8984111-38B6-11D5-8725-0050DA2761C4}. Setting the kill bit will prevent Internet Explorer from loading this module so that the vulnerability can no longer be exploited. According to US-CERT, the following code can be used to perform this action, by copying it into a text editor, saving it as a .reg file and then importing it into the registry by double-clicking:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F8984111-38B6-11D5-8725-0050DA2761C4}]
"Compatibility Flags"=dword:00000400

Alternatively, deactivating ActiveX support in Internet Explorer will also remedy the problem. Since the target group for IncrediMail is likely to prefer active content, this latter option is perhaps less practicable. Affected users should therefore set the kill bit as described above. The bug affects all versions of IncrediMail up to and including the current version 5.50. No update to fix the vulnerability is as yet available from the vendor's website.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit