The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of IE: vulnerabilities of several ActiveX of May 2007

Synthesis of the vulnerability 

Several ActiveX permit a remote attacker to generate a denial of service or to execute code.
Vulnerable products: IE.
Severity of this weakness: 3/4.
Number of vulnerabilities in this bulletin: 43.
Creation date: 02/05/2007.
Revisions dates: 03/05/2007, 04/05/2007, 07/05/2007, 14/05/2007, 22/05/2007, 23/05/2007, 29/05/2007.
Références of this bulletin: BID-23733, BID-23755, BID-23784, BID-23811, BID-23833, BID-23891, BID-23907, BID-23934, BID-23957, BID-23969, BID-23986, BID-24075, BID-24093, BID-24118, BID-24127, BID-24133, BID-24142, BID-24153, BID-24163, BID-24179, BID-24184, BID-24188, BID-24193, BID-24216, BID-24217, BID-24219, BID-24254, BID-24848, BID-24883, BID-25025, CVE-2007-2494, CVE-2007-2495, CVE-2007-2496, CVE-2007-2526, CVE-2007-2576, CVE-2007-2585, CVE-2007-2588, CVE-2007-2601, CVE-2007-2644, CVE-2007-2648, CVE-2007-2657, CVE-2007-2725, CVE-2007-2744, CVE-2007-2755, CVE-2007-2771, CVE-2007-2787, CVE-2007-2827, CVE-2007-2851, CVE-2007-2855, CVE-2007-2856, CVE-2007-2895, CVE-2007-2903, CVE-2007-2918, CVE-2007-2946, CVE-2007-2980, CVE-2007-2981, CVE-2007-2982, CVE-2007-2983, CVE-2007-2984, CVE-2007-2987, CVE-2007-3076, CVE-2007-3168, CVE-2007-3169, CVE-2007-3703, CVE-2007-3984, CVE-2007-4254, VIGILANCE-VUL-6780, VU#210257, VU#330289, VU#440112, VU#603529, VU#686249, VU#933353.

Description of the vulnerability 

Several ActiveX permit a remote attacker to generate a denial of service or to execute code.

The PowerPointViewer.ocx ActiveX is provided by Microsoft PowerPoint viewer. An attacker can create a buffer overflow in parameters of its HttpDownloadFile(), Open() and OpenWebFile() methods. [severity:3/4; BID-23733, CVE-2007-2494]

The ExcelViewer.ocx ActiveX is provided by Microsoft Excel viewer. An attacker can create a buffer overflow in parameters of its HttpDownloadFile(), Open() and OpenWebFile() methods. [severity:3/4; BID-23755, CVE-2007-2495]

The WordViewer.ocx ActiveX is provided by Microsoft Word viewer. An attacker can create a buffer overflow in parameters of its HttpDownloadFile(), SaveAs(), Open(), ShowWordStandardDialog() and OpenWebFile() methods. [severity:3/4; CVE-2007-2496]

The OA.ocx ActiveX is provided by Microsoft Office viewer. An attacker can create a buffer overflow in parameters of its HttpDownloadFile(), Open() and OpenWebFile() methods. [severity:3/4; BID-23784, BID-23811, CVE-2007-2588]

The dvdtools.ocx ActiveX is provided by ActSoft DVD-Tools. An attacker can create a buffer overflow in the first parameter of its OpenDVD() method. [severity:3/4]

The advdaudio.ocx ActiveX is provided by East Wind Software. An attacker can create a buffer overflow in the first parameter of its OpenDVD() method. [severity:3/4; BID-23833, CVE-2007-2576]

The DSKernel2.dll ActiveX is provided by Sienzo Digital Music Mentor (DMM). An attacker can create a buffer overflow in the first parameter of its LockModules() and UnlockModule() methods. [severity:3/4]

The UFileUploaderD.dll ActiveX is provided by Versalsoft HTTP File Uploader. An attacker can create a buffer overflow in the first parameter of its AddFile() method. [severity:3/4]

The scvncctrl.dll ActiveX is provided by SmartCode VNC Manager. An attacker can create a buffer overflow in the first parameter of its ConnectAsyncEx() method. [severity:3/4; CVE-2007-2526]

The BarcodeWiz.dll ActiveX is provided by BarCodeWiz ActiveX Control. An attacker can create a buffer overflow in the first parameter of its Verify() method. [severity:3/4; BID-23891, CVE-2007-2585]

The RControl.dll ActiveX is provided by VNC. An attacker can create a buffer overflow in parameters of its connect() and InternalServer() methods. [severity:3/4]

An attacker can use the Save() method of Morovia Barcode ActiveX in order to overwrite a file. [severity:3/4; BID-23934, CVE-2007-2644]

An attacker can generate an overflow in SetInputFile() method of GDivX Zenith Player ActiveX. [severity:3/4; BID-23907, CVE-2007-2601]

The SaveBarCode() method of PrecisionID_DataMatrix.DLL ActiveX (PrecisionID Barcode) can be used to generate a denial of service. [severity:3/4; BID-23957, CVE-2007-2657]

The SaveEnhWMF() method of IDAutomationLinear6.dll ActiveX (ID Automation Linear Barcode) can be used to generate a buffer overflow. [severity:3/4]

The ConnectToDatabase() method of Clever Database Comparer ActiveX can be used to generate a buffer overflow. [severity:3/4; BID-23969, CVE-2007-2648]

The SaveToFile() method of DEWizardAX.ocx ActiveX (DB Software Laboratory DeWizardX) can be used to overwrite a file. [severity:3/4; BID-23986, CVE-2007-2725]

The SaveBarCode() method of PrecisionID_Barcode.dll ActiveX (PrecisionID Barcode) can be used to generate a denial of service. [severity:3/4; CVE-2007-2744]

The SaveToFile() method of PrecisionID_Barcode.dll ActiveX (PrecisionID Barcode) can be used to overwrite a file. [severity:3/4; CVE-2007-2755]

The UnlockSupport() method of ltmm15.dll ActiveX (Sienzo Digital Music Mentor - DMM) can be used to create a buffer overflow. [severity:3/4]

The BitmapDataPath() method of LTJ2K14.ocx ActiveX (LeadTools JPEG) can be used to create a buffer overflow. [severity:3/4; CVE-2007-2771, VU#440112]

The BrowseDir() method of lttmb14E.ocx ActiveX (LeadTools Thumbnail Browser) can be used to create a buffer overflow. [severity:3/4; CVE-2007-2787]

The BrowseDir() method of LTRTM14e.DLL ActiveX (LeadTools Raster Thumbnail) can be used to create a buffer overflow. [severity:3/4; CVE-2007-2787]

The WriteDataToFile() method of LTRVR14e.dll ActiveX (LeadTools Raster Variant) can be used to overwrite a file. [severity:3/4; BID-24075, CVE-2007-2851]

The DriverName parameter of ltisi14E.ocx ActiveX (LeadTools ISIS) can be used to create a buffer overflow. [severity:3/4; BID-24093, CVE-2007-2827]

The QuickZip() method of DartZipLite.dll ActiveX (Dart ZipLite Compression) can be used to create a buffer overflow. [severity:3/4; CVE-2007-2855]

The HelpPopup() method of OUACTRL.OCX ActiveX (Microsoft Office) can be used to create a buffer overflow. [severity:3/4; BID-24118, CVE-2007-2903]

The Directory parameter of LTRDF14e.DLL ActiveX (LeadTools Raster Dialog) can be used to create a buffer overflow. [severity:3/4; BID-24133, CVE-2007-2895, CVE-2007-2980]

The DestinationPath parameter of LTRDFD14e.DLL ActiveX (LeadTools Raster Dialog) can be used to create a buffer overflow. [severity:3/4; BID-24153, CVE-2007-2946]

The NotSafe() method of VDT70.DLL ActiveX (Microsoft Visual Database Tools Database Designer) can be used to create a buffer overflow. [severity:3/4; BID-24127, CVE-2007-4254]

The QuickZip() method of DartZip.dll ActiveX (Dart Communications PowerTCP ZIP Compression) can be used to create a buffer overflow. [severity:3/4; BID-24142, BID-24163, CVE-2007-2856]

The DictionaryFileName parameter of ltrdc14e.dll ActiveX (LeadTools Raster OCR Document Object) can be used to create a buffer overflow. [severity:3/4; BID-24179, CVE-2007-2981]

The DriverName parameter of LTRIS14e.DLL ActiveX (LeadTools Raster ISIS Object) can be used to create a buffer overflow. [severity:3/4; BID-24193]

The UserName parameter of ywcvwr.dll ActiveX (Yahoo! Webcam) can be used to create a buffer overflow. [severity:3/4; BID-24184]

The Color parameter of dxtmsft.dll ActiveX (DirectX Media, Image DirectX Transforms) can be used to create a buffer overflow. [severity:3/4; BID-24188]

Several buffer overflow (Fill, DebugMsgLog) were announced in sasatl.dll ActiveX (Zenturi ProgramChecker). [severity:3/4; BID-24217, BID-24848, BID-24883, BID-25025, CVE-2007-2987, CVE-2007-3703, CVE-2007-3984, VU#603529]

Several buffer overflow were announced in CDPass.dll ActiveX (Media Technology Group). [severity:3/4; CVE-2007-2984, VU#933353]

Several buffer overflow were announced in btbconnectwebcontrol.dll ActiveX (British Telecommunications Business Connect). [severity:3/4; BID-24216, CVE-2007-2982, VU#210257]

Several buffer overflow were announced in btwebcontrol.dll ActiveX (British Telecommunications Consumer). [severity:3/4; BID-24219, CVE-2007-2983, VU#686249]

The DeleteLocalFile() method of edrawofficeviewer.ocx ActiveX (EDraw Office Viewer) can be used to delete a file. [severity:3/4; CVE-2007-3168]

The HttpDownloadFile() method of edrawofficeviewer.ocx ActiveX (EDraw Office Viewer) can be used to create a buffer overflow. [severity:3/4; CVE-2007-3169]

The DownloadFile() method of sasatl.dll ActiveX (Zenturi ProgramChecker) can be used to delete a file. [severity:3/4; CVE-2007-3076]

Several overflows of Logitech VideoCall ActiveX permit an attacker to execute code:
 - VibeC (vibecontrol.dll)
 - CallManager (StarClient.dll)
 - ViewerClient (StarClient.dll)
 - ComLink (uicomlink.dll)
 - WebCamXMP (wcamxmp.dll) [severity:3/4; BID-24254, CVE-2007-2918, VU#330289]
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This vulnerability bulletin impacts software or systems such as IE.

Our Vigil@nce team determined that the severity of this security note is important.

The trust level is of type confirmed by a trusted third party, with an origin of document.

This bulletin is about 43 vulnerabilities.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a beginner ability can exploit this cybersecurity note.

Solutions for this threat 

IE: workaround for ActiveX of May 2007.
It is recommended to deactivate ActiveX in internet zone.
A workaround is to set Kill Bit:
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\
    {00140020-B1BA-11CE-ABC6-F5B2E79D9E3F}
    {00140050-B1BA-11CE-ABC6-F5B2E79D9E3F}
    {00140200-B1BA-11CE-ABC6-F5B2E79D9E3F}
    {00140B30-B1BA-11CE-ABC6-F5B2E79D9E3F}
    {00140B79-B1BA-11CE-ABC6-F5B2E79D9E3F}
    {00140780-B1BA-11CE-ABC6-F5B2E79D9E3F}
    {00140797-B1BA-11CE-ABC6-F5B2E79D9E3F}
    {00140B9B-B1BA-11CE-ABC6-F5B2E79D9E3F}
    {00140BB5-B1BA-11CE-ABC6-F5B2E79D9E3F}
    {00150BA1-B1BA-11CE-ABC6-F5B2E79D9E3F}
    {03CB9467-FD9D-42A8-82F9-8615B4223E6E}
    {048313BB-3B82-47A8-8164-533F1D7C7C9D}
    {053AFEBA-D968-435F-B557-19FF76372B1B}
    {0C3874AA-AB39-4B5E-A768-45F3CE6C6819}
    {0FA0B4FF-1A6F-4D89-995C-29FFD33F4EE0}
    {18A295DA-088E-42D1-BE31-5028D7F9B965}
    {18A295DA-088E-42D1-BE31-5028D7F9B9B5}
    {18B409DA-241A-4BD8-AC69-B5D547D5B141}
    {2225E9BC-AFB3-4ED4-B20E-4F6CF1C39F8B}
    {24E0CD64-A8DE-4BE4-9706-4CFC89D212C9}
    {28776DAD-5914-42A7-9139-8FD7C756BBDD}
    {2A515FCD-C0E9-4F38-9C77-2949514366F2}
    {421516C1-3CF8-11D2-952A-00C04FA34F05}
    {42BA826E-F8D8-4D8D-8C05-14ABCE00D4DD}
    {42BA826E-F8D8-4D8D-8C05-14ABCE99D4DD}
    {46C66BBD-E667-4dad-9682-58050E7C9FDC}
    {54da0fb5-483a-4c53-810b-f131d50a8eb6}
    {59DBDDA6-9A80-42A4-B824-9BC50CC172F5}
    {62FA83F7-20EC-4D62-AC86-BAB705EE1CCD}
    {6577b09d-c39d-4e22-9913-c99803f9c388}
    {66C7B32A-9642-41A4-BCF7-A166D1547770}
    {6754F588-E262-42D2-A6BC-3BB400ACFEED}
    {6C951D10-B07F-11DB-A6ED-0050C2490048}
    {731766D0-8541-11DB-99C1-0050C2490048}
    {7D6B5B24-FC7E-11D1-9288-00104B885781}
    {894A633E-F261-28BD-96F3-380EBEE1BADE}
    {8936033C-4A50-11D1-98A4-00A0C90F27C6}
    {90403303-EF21-4771-A41A-651089892EDD}
    {917b29f8-e72a-4761-8371-bf7fca27eb31}
    {97AF4A45-49BE-4485-9F55-91AB40F22B92}
    {97AF4A45-49BE-4485-9F55-91AB40F22BF2}
    {995A778F-E846-48DD-94F2-280FDED1AADF}
    {9D39223E-AE8E-11D4-8FD3-00D0B7730277}
    {A364AF35-0CDF-41E8-8F3B-E0E55E15EBA1}
    {bef0f488-3562-435f-8e89-79d94c9a528c}
    {bf4c7b03-f381-4544-9a33-cb6dad2a87cd}
    {CD3B09F1-26FB-41CD-B3F2-E178DFD3BCC6}
    {E82ED244-76EF-4D34-BDB3-AB21A522F38E}
    {E2B7DDA9-38C5-11D5-91F6-00104BDB8FF9}
    {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3}
      "Compatibility Flags"=dword:00000400
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides networks vulnerabilities announces. Each administrator can customize the list of products for which he wants to receive vulnerability alerts.