A serious ActiveX flaw in SAP's graphical user interface (GUI) could be exploited by an attacker to gain access to critical files and sensitive data.
SAPgui is used in the company's enterprise resource planning applications. Based in Waldorf, Germany, the software vendor says it has more than 75,000 customers.
The vulnerability can be exploited remotely by an unauthenticated hacker, according to an advisory issued by the United States Computer Emergency Readiness Team (US-CERT). The flaw is in the ActiveX control, MDrmSap, which could crash Internet Explorer when handling malicious code, US-CERT said.
Danish vulnerability clearinghouse Secunia gave the flaw a highly critical rating. To exploit the flaw, an attacker must trick a user into viewing a malicious website or email message, Secunia said.
SAP issued an update correcting the flaw. As a workaround, the vulnerable ActiveX control can be disabled in Internet Explorer by setting the appropriate kill bit, or by disabling ActiveX in the Internet Zone, US-CERT said in its advisory.