SAP issues update to correct critical ActiveX flaw

By SearchSecurity.com Staff 07 Jan 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

SAP issued an update to correct an ActiveX flaw that plagues its graphical user interface (GUI). The flaw could be exploited by an attacker to gain access to sensitive data.

The SAP interface is used in the software vendor's enterprise resource planning applications.

The flaw was discovered by Carsten Eiram, a researcher with Danish vulnerability clearinghouse Secunia. In the Secunia advisory, Eiram said an error in the TabOne ActiveX control could be remotely exploited to cause a heap-based buffer overflow by adding multiple tabs. Secunia gave the flaw a highly critical rating.

"Successful exploitation may allow execution of arbitrary code," Secunia said.

SAP issued an update correcting the flaw. Version 7.10 sets the kill-bit for the ActiveX control.

The Waldorf, Germany-based software vendor has corrected a number of ActiveX flaws in the past. SAP issued an update to its GUI in November, correcting an ActiveX flaw that could crash Internet Explorer if an attacker passed malicious code.

Tags: Securing Productivity Applications,  Web Application Security,  Web Server Threats and Countermeasures,  Web Application and Web 2.0 Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Securing Productivity Applications Adobe issues first quarterly patch release fixing 13 flaws Adobe shifts to Microsoft patching process, incident response plan Balancing security and performance: Protecting layer 7 on the network Software Piracy pandemic needs government role, better vendor antipiracy plans McAfee to acquire Solidcore Systems for whitelisting Adobe issues Reader update fixing zero-day flaw Microsoft to patch critical PowerPoint zero-day flaw PCI DSS: Best practices for compliance Adobe working on patch to correct new zero-day flaw Secure software development starts before coding begins Web Application Security Month of Twitter Bugs project to document Twitter flaws Are Web application penetration tests still important? IT pros can detect, prevent website vulnerabilities, thwart attacks PCI compliance requirement 6: Systems and applications Trust eroding as social engineering attacks climb in 2009, says Kaspersky expert IT managers under pressure to weaken Web security policy US-CERT warns of Gumblar, Martuz drive-by exploits XSS bugs, information leakage top list of website vulnerabilities How to find and stop automated SQL injection attacks More companies seek third-party Web app code review, survey finds Web Server Threats and Countermeasures Stolen FTP credentials likely in massive website attacks Microsoft warns of IIS zero-day vulnerability How to find and stop automated SQL injection attacks How to spot attacks through Apache Web server log analysis Symantec acquires Mi5 Networks, bolsters Web security How to harden Linux operating systems How to clear out anonymous Web proxy servers in the workplace Information security book excerpts and reviews Is it more secure to have a mainframe or a collection of servers? How does a Web server model differ from an application server model?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary sheepdip  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary