Attackers could exploit a serious security flaw in Ask.com's popular Internet Explorer toolbar to execute malicious code on targeted computers, researchers warned Tuesday. WabiSabiLabi Ltd., a controversial eBay-like marketplace for zero-day flaws, is offering proof-of-concept code for auction.
The security hole was discovered by researcher Joey Mengele and involves a buffer overflow flaw in an ActiveX control embedded in the toolbar.
Danish vulnerability clearinghouse Secunia said in its SA26960 advisory that the flaw is highly critical because it is unpatched and attackers could exploit it remotely to gain system access.
"The vulnerability is caused due to a boundary error in the AskJeevesToolBar.SettingsPlugin.1 ActiveX control (askBar.dll) when handling the 'ShortFormat' property," Secunia said. "This can be exploited to cause a stack-based buffer overflow by assigning an overly long (greater than 500 bytes) string to the affected property. Successful exploitation allows execution of arbitrary code."
Secunia said it was able to independently confirm Mengele's findings version 4.0.2 of the toolbar, and warned that other versions may be affected as well. To mitigate the risk, the firm recommends users set the kill-bit for the affected ActiveX control.
Ask.com spokesman Nicholas Graham said in an email Wednesday that "Ask.com takes security very seriously. We were notified of a buffer overflow issue in the Ask.com IE toolbar, and on Wednesday we released the fix," he said. "All Ask.com toolbar users were automatically notified of the update. In addition, we posted information online via our IE toolbar FAQ site that informed Ask.com toolbar users of the issue and the resolution."
As of Wednesday morning eastern time, WabiSabiLabi Ltd. was auctioning the flaw for a minimum of 500 Euros [approximately $1,000]. No bids were listed, however.
In a description on the auction page, WabiSabiLabi said, "Ask.com toolbar suffers from a remote vulnerability … Affected version is 18.104.22.168 … PoC is included … Further information is for registered bidders only."
The creators of WabiSabiLabi have said the marketplace was established to sell security research because few researchers are able or willing to report their findings to the right people out of fear of being exploited. But IT security pros have largely criticized WabiSabiLabi as just another way for malware to get into the wild and threaten their networks.