And now, Month of ActiveX Bugs

Summary:After a brief lull -- and two fakes -- the "month of bugs" security projects are back, taking aim this time at flaws in ActiveX controls used by software developers.

After a brief lull -- and two fakes -- the "month of bugs" security projects are back, taking aim this time at flaws in ActiveX controls used by software developers.

The MoAxB (Month of ActiveX Bugs) kicked off on May 1 with details of a denial-of-service flaw in Office OCX PowerPoint Viewer, an ActiveX control that allows applications to display and interact with Microsoft PowerPoint files.

FrSIRT rates this bug as "critical" and warns that code execution may be possible:

This issue is caused by a buffer overflow error in "PowerPointViewer.ocx" when calling certain methods e.g. "HttpDownloadFile()" with overly long arguments, which could be exploited by remote attackers to execute arbitrary commands by tricking a user into visiting a specially crafted web page.

The second release from MoAxB, which is the brainchild of a hacker known as "shinnai," pinpoints multiple holes in the Excel Viewer OCX that could also present code execution risks.

Secunia slaps a "highly critical" rating on this issue:

The vulnerabilities are caused due to boundary errors within the Excel Viewer ActiveX control (ExcelViewer.ocx). These can be exploited to cause stack-based buffer overflows via overly long arguments passed to certain methods (e.g. "HttpDownloadFile()" or "OpenWebFile()"). Successful exploitation may allow execution of arbitrary code when a user visits a malicious website.

Topics: Security

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.