ActiveX control bug bites Creative Labs AutoUpdate engine

ActiveX control bug bites Creative Labs AutoUpdate engine

Summary: A high-severity security flaw in the Creative Software automatic update engine could put Windows computers at risk of remote code execution attacks, according to a warning from the US-CERT (Computer Emergency Readiness Team).The vulnerability affects the software used to provide updates to Creative Labs' audio/video entertainment product line, which includes the popular Zen MP3 player line.

SHARE:

A high-severity security flaw in the Creative Software automatic update engine could put Windows computers at risk of remote code execution attacks, according to a warning from the US-CERT (Computer Emergency Readiness Team).

ActiveX vulnerability haunts Creative Labs AutoUpdate engineThe vulnerability affects the software used to provide updates to Creative Labs' audio/video entertainment product line, which includes the popular Zen MP3 player line.

This line in the US-CERT advisory is the most important:  "We are currently unaware of a practical solution to this problem."

eEye Digital Security, the company credited with reporting the bug, says a proof-of-concept is available on a public exploit site.

Vulnerability description:

The Creative Software AutoUpdate Engine ActiveX control is a component that provides automatic update capabilities to Creative Labs software. This ActiveX control is provided by the file CTSUEng.ocx. The Create Software AutoUpdate Engine ActiveX control is marked Safe For Scripting and Safe For Initialization, which means that a web page in Internet Explorer has the ability to interact with the control. This ActiveX control contains a stack buffer overflow in the CacheFolder property.

A successful attack will allow remote code execution in the context of the logged in user.  eEye warns that ActiveX remote code execution  vulnerabilities have very high impacts since the source of the malicious payload can be any site on the Internet.

An even more critical problem is generated when clients are administrators on their local hosts, which would run the malicious payload with Administrator credentials.

Mitigation: In the absence of a patch, the best form of mitigation is available by setting the CLSID for the buggy ActiveX control: 0A5FD7C5-A45C-49FC-ADB5-9952547D5715.  Instructions available in this Microsoft KB article.

It's important to note the the Creative Labs AutoUpdate Engine ActiveX is included by default with many hardware devices that Creative Labs distributes.  The hardware and software products listed below depend on the vulnerable ActiveX for updates:

Sound cards: Audigy Audigy 2 Audigy 2 LS Audigy 2 NX Audigy 2 Platinum Audigy 2 Platinum eX Audigy 2 Value Audigy 2 ZS Audigy 2 ZS Gamer Audigy 2 ZS Notebook Audigy 2 ZS Platinum Audigy 2 ZS Platinum Pro Audigy 2 ZS Video Editor Audigy 4 Pro Audigy Gamer Audigy LS Audigy MP3+ Audigy Platinum Audigy Platinum eX Live! 24-bit Live! 24-bit External Live! 5.1 Live! 5.1 Digital (Dell) Live! ADVANCED MB MP3 + Sound Blaster Audigy 2 ZS Digital Audio Sound Blaster Audigy ADVANCED MB Sound Blaster X-Fi Fatal1ty Wireless Music X-Fi Elite Pro X-Fi Platinum X-Fi XtremeMusic

USB Sound Blaster: Audigy 2 NX MP3 +

Portable Audio: MuVo MuVo NX MuVo Slim MuVo TX MuVo TX FM MuVo² X-Trainer MuVo² MuVo² FM NOMAD II 32MB NOMAD II MG NOMAD IIc NOMAD Jukebox 3 NOMAD Jukebox ZEN Rhomba

Portable Media Players: ZEN Portable Media Center ZEN Vision 30GB

MP3 Players: MuVo MuVo 2.0 / MuVo Mix MuVo Micro MuVo NX MuVo Slim MuVo Sport C100 MuVo TX MuVo TX FM MuVo V200 MuVo² X-Trainer MuVo² MuVo² FM NOMAD II 32MB NOMAD II MG NOMAD II MG Limited Edition NOMAD IIc NOMAD JukeBox NOMAD Jukebox 10GB NOMAD Jukebox 2 NOMAD Jukebox 3 NOMAD Jukebox C NOMAD Jukebox ZEN NOMAD Jukebox ZEN NX NOMAD Jukebox ZEN USB 2.0 Rhomba ZEN 20GB ZEN Micro ZEN Nano 512MB ZEN Nano Plus ZEN Neeon 5GB/6GB ZEN Portable Media Center ZEN Sleek ZEN Touch ZEN Vision 30GB ZEN Xtra

Web Cameras: Creative PC-CAM 900 Creative WebCam Vista Game Star Live! Ultra for Notebooks PC-CAM 880 WebCam Instant WebCam Instant WebCam Live! WebCam Live! Pro WebCam Live! Ultra WebCam Notebook WebCam NX WebCam NX Pro WebCam NX Ultra WebCam Vista

Video: Audigy 2 ZS Video Editor

Wireless: Wireless Music

Notebook Products: Audigy 2 NX Audigy 2 ZS Notebook Live! 24-bit External Live! Ultra for Notebooks MP3 + WebCam Notebook

Topics: Security, Software Development

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

14 comments
Log in or register to join the discussion
  • Perhaps the practical solution...

    ...is to [i]not[/i] use ActiveX.
    johnay
  • No solution!? Stop using Active-X (nt)

    (nt)
    TripleII-21189418044173169409978279405827
    • Do you know what ActiveX is?

      I would suggest reading up a little. Your ignorance is showing.
      http://en.wikipedia.org/wiki/ActiveX

      The South Korean banking system uses ActiveX extensively, and has had no security problems. Why? Because they write secure code.
      If you write bad code, you will have these problems with ANY programming technology.
      mdemuth
      • Active-X is by far the #1 infection vector ever known.

        HP has weekly exploits for 2 years now. In theory, Active-X is just a conduit, but auto-run on the internet should be banned, period. There are hundreds of better ways than to use Active-X. In a non malware world, panacea, in the real world, it should be banned.

        Also, it isn't secure code in this case, it is a FLAW in the Active-X controls, like the thousands that have existed before now.

        What part of bad idea is unclear?

        TripleII
        TripleII-21189418044173169409978279405827
        • Your lack of understanding is clear

          along with blind ignorance, typical of the ABM crowd

          ActiveX is a widely used technology, hence the vector problem. but let us look.

          QuickTime has had endless security patches (as had OSX)... Nothing to do with ActiveX there.
          Oracle? From unbreakable to unfixable, no ActiveX required.
          Flash?

          Were you to ban ActiveX, whatever you replace it with will contain its own bugs, assuming the coders kept up the bad coding.
          Or you could have secure ActiveX, if best practices are used.
          mdemuth
          • Seeing boogymen that don't exist.

            JavaScript (unfortunate name shred with java). It is similar to Active-X in function. Do you want me to link to the posts where I state, unequivocally that Quicktime is garbage over and over again? I am against BAD TECHNOLOGIES, whoever they come from, nothing to do with being an ABM or NBM. I also fail to see where I bashed MS at all or pushed for any other OS.

            Are you seeing boogymen where they don't exist. I'll say it again, in a NON MALWARE world, Active-X is fine, in the real word, it should not be used. The thousands of patches over the last 10 years should be a clue it wasn't very good.

            As a developer, if I build widget XYZ with all my own code, the security footprint is small. If I built XYZ using the X component of Active-X, I also inherit ALL vulnerabilities in A through W Active X also contains. All software can have security flaws, Active-X has a long history of being the worst (by pervasiveness and use, I WOULD classify Quicktime as maybe tied)

            TripleII
            TripleII-21189418044173169409978279405827
  • the title of this news is wrong because there's not a flaw in activex

    the title of this news is wrong because there's not a flaw in activex technology, but in a particular activex poorly written by Creative
    qmlscycrajg
    • You're right

      I've fixed the headline. Thanks.

      _ryan
      Ryan Naraine
    • What about the snippet?

      [B]This ActiveX control contains a stack buffer overflow in the CacheFolder property.[/B]

      TripleII
      TripleII-21189418044173169409978279405827
      • Please educate yourself

        Follow the link I gave you.
        ActiveX is the container. You can put any code into it.
        Secure code, or code that has buffer overflows.
        mdemuth
        • Educate Yourself.

          Active-X as a runtime container is a bad idea. It is not well written and is little more than thousands of patches on an extremely weak foundation. .NET is light years better, Active-X should essentially die.

          Now, am I quoting the article wrong, or does the "container" have yet another flaw?

          If your mind was not h*ll bent on definding a bad technology, for whatever reason, you might see the problem.

          TripleII
          TripleII-21189418044173169409978279405827
          • You are quoting it wrong

            the 'container' (ActiveX) does not have a flaw, the contents of the container (the code that runs) do indeed have a flaw.
            If you not h*ll bent on being ignorant (and defending it well, I must admit), you might see that.
            mdemuth
          • It is amazing.

            You defend Active-X. Digging deeper, this is a hole in the call to the active X controller. Would it exist without Active-X? Would 1/3 of Windows machines in the US (estimates) be botted and compromised without Active-X? I could waste 3 hours posting links to literally THOUSANDS of zero day attack vectors found in Active-X, but you still defend it.

            If it was a good technology, why is it dying? If it was secure, why would it be persistent only with lazy developers? This is not just my opinion, it is millions of opinions. Active-X, despite thousands up updates, is not secure, I don't think it ever can or will be. Your own blog lists HP after HP zero day active-X flaws and you still defend it?

            It needs to die, for every hole, (pre-Vista, it's better), direct unfettered access to the OS is usually provided.
            http://www.heise-online.co.uk/security/Hole-in-Creative-ActiveX-module--/news/110829
            [I]No update is yet available from Creative. Users can protect themselves by [B]completely disabling the execution of ActiveX in the internet zone[/B] ? given the great number of security holes in a variety of ActiveX modules, [B]this is a good general policy[/B].[/I]

            From RealPlayer to Office to Works to WMP to you name the application, zero day flaws root cause in common is the Active-X portion.

            TripleII
            TripleII-21189418044173169409978279405827
  • Does IE7's ActiveX Opt-in prevent this?

    My guess is that IE7's ActiveX Opt-in feature would prevent this control from loading automatically (it would show a gold-bar if a page tried to use it).

    Unless Creative went out of there way during install to write themselves in the opt-in list in the registry...
    PB_z