SAP issues update to correct critical ActiveX flaw

By SearchSecurity.com Staff 07 Jan 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

SAP issued an update to correct an ActiveX flaw that plagues its graphical user interface (GUI). The flaw could be exploited by an attacker to gain access to sensitive data.

The SAP interface is used in the software vendor's enterprise resource planning applications.

The flaw was discovered by Carsten Eiram, a researcher with Danish vulnerability clearinghouse Secunia. In the Secunia advisory, Eiram said an error in the TabOne ActiveX control could be remotely exploited to cause a heap-based buffer overflow by adding multiple tabs. Secunia gave the flaw a highly critical rating.

"Successful exploitation may allow execution of arbitrary code," Secunia said.

SAP issued an update correcting the flaw. Version 7.10 sets the kill-bit for the ActiveX control.

The Waldorf, Germany-based software vendor has corrected a number of ActiveX flaws in the past. SAP issued an update to its GUI in November, correcting an ActiveX flaw that could crash Internet Explorer if an attacker passed malicious code.

Tags: Securing Productivity Applications,  Web Application Security,  Web Server Threats and Countermeasures,  Web Application and Web 2.0 Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Securing Productivity Applications Adobe issues patch fixing month-long PDF zero-day vulnerability Another PDF attack targets Adobe zero-day vulnerability Active PDF attacks target Reader, Acrobat zero-day vulnerability Software piracy group offers cash to whistleblowers How to secure a .pdf file How do hackers bypass a code signing procedure to inject malware Quiz: How to build secure applications How to detect software tampering Adobe fixes 29 flaws in Acrobat, Reader Adobe warns of critical update for Reader, Acrobat 9.1.3 Web Application Security Attackers zero in on Web application vulnerabilities Self-defending Web applications thwart attacks Facebook, McAfee partner to fix social network security issues Web application attacks security guide: Preventing attacks and flaws Using unique device identification for bank website security Information security book excerpts and reviews Black box and white box testing: Which is best? InZero Systems launches hardware-based security gateway Web application vulnerability assessment shows patching progress Preventing SQL injection attacks: A network admin's perspective Web Server Threats and Countermeasures Microsoft doesn't rule out rushed patch for IIS zero-day vulnerability How do passwordless SSH keys represent an enterprise attack vector? Information security book excerpts and reviews Increase in Gumblar backdoors poses FTP credential problems VeriSign extends DDoS attack protection service Microsoft issues IIS FTP advisory, exploit code circulates Panda reports fast-spreading rogueware antivirus fraud rakes in millions Oracle issues quarterly patches, fixes database flaws Latest DDoS attacks extremely unsophisticated, experts say Stolen FTP credentials likely in massive website attacks

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary sheepdip  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary