‘Highly Critical’ Microsoft ActiveX Security Bugs

Microsoft counted 106 security bulletins for 2010 when it released its final Patch Tuesday update for the year. But with 2010 now coming to a close, additional bugs are popping up – this time in an ActiveX control.

According to researchers at Secunia, “highly critical” vulnerabilities have been found impacting the Microsoft WMI Administrative Tools WMI Object Viewer ActiveX Control.

Two Flaws In Admin Tool

“Two vulnerabilities have been discovered in Microsoft WMI Administrative Tools, which can be exploited by malicious people to compromise a user’s system,” reported Secunia. “The vulnerabilities are caused due to the “AddContextRef()” and “ReleaseContext()” methods in the WMI Object Viewer Control (WBEM.SingleViewCtrl.1) using a value passed in the “lCtxHandle” parameter as an object pointer.”

The vulnerabilities are confirmed in version 1.1 (WBEMSingleView.ocx 1.50.1131.0), though other versions may be affected as well, Secunia noted. A successful exploit would enable an attacker to execute arbitrary code, the firm warned.

Dave Forstrom, director of the Trustworthy Computing at Microsoft, said there have been no reports of attacks related to the issue, and the company is investigating the matter.

“Once we’re done investigating, we will take appropriate actions to help protect customers,” he told eWEEK.

Historically, ActiveX bugs have been big targets, noted Andrew Storms, director of security operations at nCircle.

“We haven’t seen a good ActiveX scare in some time so time isn’t on our side, but it’s still too early to make a call on how things will shape up with this bug,” Storms said.

Buffer Overrun In IIS

Besides the ActiveX bugs, the company is also investigating a denial-of-service issue impacting Internet Information Services (IIS) FTP 7.5, which ships with Windows 7 and Windows Server 2008 R2. Proof of concept exploit code has already been made public, according to Nazim Lala, IIS security programme manager at Microsoft.

“First, this is a Denial of Service vulnerability and remote code execution is unlikely,” Lala blogged. “The vulnerability occurs when the FTP server attempts to encode Telnet IAC (Interpret As Command) character in the FTP response. The IAC character, which is represented as decimal 255 (Hex FF) in the response, needs to be encoded by the addition of another decimal 255 character in the FTP response where we find the presence of the IAC character.”

Due to an error in this processing, it is possible to get into a state where an attacker can overwrite part of the response with a string of 0xFFs past the end of the heap buffer, Lala explained. The end result is a heap buffer overrun.

“In that situation, the only data that a malicious client controls in this overrun is the number of bytes by which the buffer is overrun,” blogged Lala. “It cannot control the data that is overwritten… Also, the malicious client does not control the addresses where data is overridden, and the data is always overridden in a sequential manner. The FTP service 7.5 is also protected by Data Execution Prevention (DEP).”

“We’ll continue to investigate this issue and, if necessary, we‘ll take appropriate action to help protect customers,” Lala wrote. “This may include providing a security update through the monthly release process or additional guidance to help customers protect themselves.”

Microsoft has issued an advisory on a previously reported vulnerability in Internet Explorer