In association with heise online

16 July 2007, 12:11

Vulnerabilities in Interactual ActiveX

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Security service provider Secunia has reported security flaws in ActiveX modules of Interactual and Cineplayer. Attackers can use manipulated web pages for arbitrary code injection and execution. This software is often shipped with movie DVDs to supply users with additional online content, so its deployment base is wide, and Secunia has rated these vulnerabilities as "highly critical".

A buffer overflow may occur in the ActiveX module IAMCE.dll when a FailURL string exceeding 256 bytes in length is processed. In the IAKey.dll module, a buffer overflow is caused if the URLCode has a length of more than 900 bytes. According to Secunia, both bugs can be exploited by attackers for arbitrary code injection and execution.

The flaw has been confirmed for Interactual and Cineplayer 3.2; older versions may also be affected. Cineplayer is only susceptible to the bug in the IAKey.dll module. According to the advisory by Secunia, the vendor is currently working on an update. The security service provider advises users to set the kill-bit for the affected ActiveX modules. However, new vulnerabilities in ActiveX components are detected all the time, so users should preferably disable ActiveX completely in the Internet zone.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit