Month of ActiveX Bugs Bears Dangerous Fruit

On the heels of the Month of Kernel Bugs, Month of Browser Bugs, Month of Apple Bugs, and Month of PHP Bugs comes the Month of ActiveX Bugs (MoAxB). Launched by someone who uses the name "shinnai," the project has so far revealed at least five serious vulnerabilities that can allow remote code execution.

When the first bug reports were posted on the project's Web site, a few members of the Full Disclosure mailing list let out a mocking yawn because the revealed problems were labeled as Denial of Service (DoS) conditions. But, because many DoS problems are the result of buffer overflow conditions, other researchers, including the French Security Incident Response Team (FrSIRT) and Secunia, determined that three of the vulnerabilities could allow remote code execution.

Those vulnerabilities involve the PowerPoint Viewer OCX, Word Viewer OCX, and Excel Viewer OCX offered by Office OCX, a third-party commercial developer. Office OCX's fourth product, Office Viewer OCX is vulnerable in the same way. Not long after the vulnerabilities were published, working exploit code became available that can take advantage of the vulnerabilities.

On May 4, another vulnerability was posted to MoAxB regarding ActSoft DVD Tools from ActiveX Soft, which is a tool that lets people extract audio from DVDs and convert DVDs into various formats. Again, within a matter of hours, a working exploit was published. The code, which is designed as a Metasploit module, lets an intruder spawn a remote command shell on an affected system.

So far, MoAxB is evidently revealing a series of very dangerous bugs, and because exploit code for the bugs is being produced so rapidly, security administrators should keep a close eye on the project as it continues to unfold over the next several weeks.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish