Data Dynamics ActiveBar ActiveX Controls Code Execution

This script is Copyright (C) 2011-2016 Tenable Network Security, Inc.


Synopsis :

The remote Windows host has an ActiveX control installed that is
affected by a code execution vulnerability.

Description :

One or more of the Data Dynamics ActiveBar ActiveX controls installed
on the remote Windows host is affected by a code execution
vulnerability due to unspecified issues in the 'Save()',
'SaveLayoutChanges()', 'SaveMenuUsageData()', and 'SetLayoutData()'
methods.

Note that Data Dynamics ActiveBar is bundled with IBM Rational System
Architect.

See also :

https://www-304.ibm.com/support/docview.wss?uid=swg21497689
https://technet.microsoft.com/library/security/2562937
https://www-01.ibm.com/support/docview.wss?uid=swg24029808
https://www-01.ibm.com/support/docview.wss?uid=swg24029810

Solution :

Multiple solutions exist to resolve this vulnerability :

- Upgrade to IBM Rational System Architect 11.3.1.4 (eGA
29 April 2011) / 11.4.0.3 (eGA 29 April 2011) or later.

- Install Microsoft KB2562937 (Update Rollup for ActiveX
Kill Bits).

- Disable the use of the vulnerable ActiveX controls
within Internet Explorer per the IBM advisory.

- Disable all ActiveX controls in the Internet Zone.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 8.8
(CVSS2#E:F/RL:U/RC:ND)
Public Exploit Available : true

Family: Windows

Nessus Plugin ID: 54841 ()

Bugtraq ID: 24959
47643

CVE ID: CVE-2007-3883
CVE-2011-1207

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now