Month Of ActiveX Bugs Reveals Critical Vulnerabilities

The latest Month of Bugs project, Month of ActiveX Bugs (MoAxB) started up on May 1 and has already found two critical flaws.

First off, Microsoft's ActiveX controls, used to make Web pages richer and more interactive, are vulnerable to a denial-of-service bug in Office OCX PowerPoint Viewer – an ActiveX control that enables software to communicate with Microsoft PowerPoint files. "A vulnerability has been identified in Office OCX PowerPoint Viewer, which could be exploited by remote attackers to cause a denial of service or take complete control of an affected system. This issue is caused by a buffer overflow error in "PowerPointViewer.ocx" when calling certain methods with overly long arguments, which could be exploited by remote attackers to execute arbitrary commands by tricking a user into visiting a specially crafted Web page," said a French Security Incident Response Team analyst.

The second reported bug, that Secunia rates as "highly critical", was posted by a researcher known only as shinnai who found several holes in a Excel Viewer OCX (confirmed in version "The vulnerabilities are caused due to boundary errors within the Excel Viewer ActiveX control. These can be exploited to cause stack-based buffer overflows via overly long arguments passed to certain methods. Successful exploitation may allow execution of arbitrary code when a user visits a malicious Web site," wrote Secunia analysts.

News source: InformationWeek

Report a problem with article
Next Article

Not all tech users sold on benefits, study says

Previous Article

Canonical announces Ubuntu UMPC platform, help from Intel

Join the conversation!

Login or Sign Up to read and post a comment.

5 Comments - Add comment