F-Secure Vulnerability Information : Ultra Office ActiveX Control Multiple Vulnerabilities

F-SECURE.COM

Security Guide

F-Secure World Map

Security Alerts

Virus Statistics

Malware Removal Tools

Malware Code Glossary

Submit Malware Sample

Select local site

Main Index » Security Center » Descriptions

F-Secure Vulnerability Information : Ultra Office ActiveX Control Multiple Vulnerabilities
[Summary] \| [Detailed Description] \| [Solution] \| [CVE Reference]

SA31632

Secunia

29.08.2008

Urgent

Ultra Office Control 2.x

Compromise From:

From remote

Compromise Type:

System access

Summary

Multiple vulnerabilities has been discovered in Ultra Office Control, which can be exploited by malicious people to compromise a user"s system.

Back to the Top

Detailed Description

Multiple vulnerabilities has been discovered in Ultra Office Control, which can be exploited by malicious people to compromise a user"s system.

1) A boundary error exists in the Ultra.OfficeControl ActiveX control (OfficeCtrl.ocx) when handling parameters received by the "HttpUpload()" method. This can be exploited to cause a stack-based buffer overflow by e.g. tricking a user into visiting a malicious website.

2) The "Save()" method provided by the Ultra.OfficeControl ActiveX control (OfficeCtrl.ocx) allows attackers to overwrite arbitrary files on a user"s system by e.g. tricking a user into visiting a malicious website.

Successful exploitation of the vulnerabilities may allow execution of arbitrary code.

The vulnerabilities are reported in version 2.0.2008.501. Other versions may also be affected.

Back to the Top

Solution

Set the kill-bit for the affected ActiveX control.

Back to the Top

CVE Reference

Back to the Top

F-Secure Corporation