Buffer overflow errors in ActiveX controls

Disclaimer: I'm not responsible for anything, unless it's good.

This advisory outlines several buffer overruns in several controls, and the vulnerability of ActiveX controls to buffer overrun attacks in general. It appears that the ActiveX/OLE/COM technology in general does no buffer checks before passing parameters to controls, leaving the checking up to the control in question. Hence, many poorly written controls are individually susceptible to buffer overrun attacks, independent of the environment they are controlled from, and other controls on the system. The following controls are probably just a few of the vulnerable controls which are in common use, including one control from a third party vendor (Adobe). Because these controls are marked as safe for scripting, they may be exploited through IE through a web page, E-mail, or anywhere else where 'safe' ActiveX controls may be scripted (ie some newsgroup readers and other E-mail clients)

Known Affected Controls:

Acrobat Control for ActiveX   - PDF.OCX       v1.3.188
Setupctl 1.0 Type Library     - SETUPCTL.DLL  v1, 1, 0, 6
EYEDOG OLE Control module     - EYEDOG.OCX    v1.1.1.75
MSN ActiveX Setup BBS Control - SETUPBBS.OCX  v4.71.0.10
hhopen OLE Control Module     - HHOPEN.OCX    v1, 0, 0, 1
RegWizCtrl 1.0 Type Library   - REGWIZC.DLL   v3, 0, 0, 0

Protection:

Microsoft has been notified of these exploits around a month ago, and is releasing a patch to revoke the hhopen, regwiz and setupctl controls, and a previous patch has been released for Eyedog. For the other controls, and any others found to be vulnerable, see Microsoft knowledge base article Q240797 on how to stop an ActiveX control from running in IE. If pain persists, disable ActiveX scripting altogether in IE.

How to Stop an ActiveX Control from Running in Internet Explorer

    http://support.microsoft.com/support/kb/articles/q240/7/97.asp

-Shane Hird (s.hird@student.qut.edu.au)
 First year IT student at QUT, Brisbane, Australia.
 Sponsors?