A high-severity security flaw in the Creative Software automatic update engine could put Windows computers at risk of remote code execution attacks, according to a warning from the US-CERT (Computer Emergency Readiness Team).
The vulnerability affects the software used to provide updates to Creative Labs' audio/video entertainment product line, which includes the popular Zen MP3 player line.
This line in the US-CERT advisory is the most important: "We are currently unaware of a practical solution to this problem."
eEye Digital Security, the company credited with reporting the bug, says a proof-of-concept is available on a public exploit site.Vulnerability description:
The Creative Software AutoUpdate Engine ActiveX control is a component that provides automatic update capabilities to Creative Labs software. This ActiveX control is provided by the file CTSUEng.ocx. The Create Software AutoUpdate Engine ActiveX control is marked Safe For Scripting and Safe For Initialization, which means that a web page in Internet Explorer has the ability to interact with the control. This ActiveX control contains a stack buffer overflow in the CacheFolder property.
A successful attack will allow remote code execution in the context of the logged in user. eEye warns that ActiveX remote code execution vulnerabilities have very high impacts since the source of the malicious payload can be any site on the Internet.
An even more critical problem is generated when clients are administrators on their local hosts, which would run the malicious payload with Administrator credentials.
Mitigation: In the absence of a patch, the best form of mitigation is available by setting the CLSID for the buggy ActiveX control: 0A5FD7C5-A45C-49FC-ADB5-9952547D5715. Instructions available in this Microsoft KB article.
It's important to note the the Creative Labs AutoUpdate Engine ActiveX is included by default with many hardware devices that Creative Labs distributes. The hardware and software products listed below depend on the vulnerable ActiveX for updates:
Sound cards: Audigy Audigy 2 Audigy 2 LS Audigy 2 NX Audigy 2 Platinum Audigy 2 Platinum eX Audigy 2 Value Audigy 2 ZS Audigy 2 ZS Gamer Audigy 2 ZS Notebook Audigy 2 ZS Platinum Audigy 2 ZS Platinum Pro Audigy 2 ZS Video Editor Audigy 4 Pro Audigy Gamer Audigy LS Audigy MP3+ Audigy Platinum Audigy Platinum eX Live! 24-bit Live! 24-bit External Live! 5.1 Live! 5.1 Digital (Dell) Live! ADVANCED MB MP3 + Sound Blaster Audigy 2 ZS Digital Audio Sound Blaster Audigy ADVANCED MB Sound Blaster X-Fi Fatal1ty Wireless Music X-Fi Elite Pro X-Fi Platinum X-Fi XtremeMusic
USB Sound Blaster: Audigy 2 NX MP3 +
Portable Audio: MuVo MuVo NX MuVo Slim MuVo TX MuVo TX FM MuVo² X-Trainer MuVo² MuVo² FM NOMAD II 32MB NOMAD II MG NOMAD IIc NOMAD Jukebox 3 NOMAD Jukebox ZEN Rhomba
Portable Media Players: ZEN Portable Media Center ZEN Vision 30GB
MP3 Players: MuVo MuVo 2.0 / MuVo Mix MuVo Micro MuVo NX MuVo Slim MuVo Sport C100 MuVo TX MuVo TX FM MuVo V200 MuVo² X-Trainer MuVo² MuVo² FM NOMAD II 32MB NOMAD II MG NOMAD II MG Limited Edition NOMAD IIc NOMAD JukeBox NOMAD Jukebox 10GB NOMAD Jukebox 2 NOMAD Jukebox 3 NOMAD Jukebox C NOMAD Jukebox ZEN NOMAD Jukebox ZEN NX NOMAD Jukebox ZEN USB 2.0 Rhomba ZEN 20GB ZEN Micro ZEN Nano 512MB ZEN Nano Plus ZEN Neeon 5GB/6GB ZEN Portable Media Center ZEN Sleek ZEN Touch ZEN Vision 30GB ZEN Xtra
Web Cameras: Creative PC-CAM 900 Creative WebCam Vista Game Star Live! Ultra for Notebooks PC-CAM 880 WebCam Instant WebCam Instant WebCam Live! WebCam Live! Pro WebCam Live! Ultra WebCam Notebook WebCam NX WebCam NX Pro WebCam NX Ultra WebCam Vista
Video: Audigy 2 ZS Video Editor
Wireless: Wireless Music
Notebook Products: Audigy 2 NX Audigy 2 ZS Notebook Live! 24-bit External Live! Ultra for Notebooks MP3 + WebCam Notebook