TPTI-07-09: Macrovision FLEXnet boisweb.dll ActiveX Control Buffer Overflow Vulnerability http://dvlabs.tippingpoint.com/advisory/TPTI-07-09 June 4, 2007 -- CVE ID: CVE-2007-2419 -- Affected Vendor: Macrovision -- Affected Products: Update Service 3.x Update Service 4.x Update Service 5.x FLEXnet Connect 6 -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since November 6, 2006 by Digital Vaccine protection filter ID 4323, 4327. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Business Objects Crystal Reports. Exploitation requires the target to visit a malicious web site. This specific flaw exists within the ActiveX control with CLSID 85A4A99C-8C3D-499E-A386-E0743DFF8FB7. Specifying large values to two specific functions available in this control results in an exploitable stack based buffer overflow. The vulnerable function / parameters include: * DownloadAndExecute(), second of five parameters * AddFileEx(), third of seven parameters -- Vendor Response: Notification was recently (January) sent to Macrovision customers about the vulnerability and the correct way to resolve it (patching to a newer version of the agent resolves the issue). The exact timing of this deployment is left to our customers and partner. -- Disclosure Timeline: 2006.06.22 - Vulnerability reported to vendor 2006.11.06 - Digital Vaccine released to TippingPoint customers 2007.06.04 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Pedram Amini, TippingPoint DVLabs CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is being sent by 3Com for the sole use of the intended recipient(s) and may contain confidential, proprietary and/or privileged information. Any unauthorized review, use, disclosure and/or distribution by any recipient is prohibited. If you are not the intended recipient, please delete and/or destroy all copies of this message regardless of form and any included attachments and notify 3Com immediately by contacting the sender via reply e-mail or forwarding to 3Com at postmaster@3com.com.