On CBS MoneyWatch: 5 Holiday Shopping Tips
BNET Business Network:
BNET
TechRepublic
ZDNet

May 30th, 2008

ActiveX control bug bites Creative Labs AutoUpdate engine

Posted by Ryan Naraine @ 10:24 am

Categories: Arbitrary Code Execution, Browsers, Data theft, Exploit code, Hackers, Microsoft, Patch Watch, Responsible disclosure, Viruses and Worms, Vulnerability research, Zero-day attacks

Tags: Webcam, Zen, Automatic Update, Vulnerability, Blaster Worm, ActiveX, Creative Labs Inc., Create Software AutoUpdate Engine ActiveX Control, ActiveX/COM/COM+/DCOM, Patches

A high-severity security flaw in the Creative Software automatic update engine could put Windows computers at risk of remote code execution attacks, according to a warning from the US-CERT (Computer Emergency Readiness Team).

ActiveX vulnerability haunts Creative Labs AutoUpdate engineThe vulnerability affects the software used to provide updates to Creative Labs’ audio/video entertainment product line, which includes the popular Zen MP3 player line.

This line in the US-CERT advisory is the most important:  “We are currently unaware of a practical solution to this problem.”

eEye Digital Security, the company credited with reporting the bug, says a proof-of-concept is available on a public exploit site.

Vulnerability description:

The Creative Software AutoUpdate Engine ActiveX control is a component that provides automatic update capabilities to Creative Labs software. This ActiveX control is provided by the file CTSUEng.ocx. The Create Software AutoUpdate Engine ActiveX control is marked Safe For Scripting and Safe For Initialization, which means that a web page in Internet Explorer has the ability to interact with the control. This ActiveX control contains a stack buffer overflow in the CacheFolder property.

A successful attack will allow remote code execution in the context of the logged in user.  eEye warns that ActiveX remote code execution  vulnerabilities have very high impacts since the source of the malicious payload can be any site on the Internet.

An even more critical problem is generated when clients are administrators on their local hosts, which would run the malicious payload with Administrator credentials.

Mitigation:
In the absence of a patch, the best form of mitigation is available by setting the CLSID for the buggy ActiveX control: 0A5FD7C5-A45C-49FC-ADB5-9952547D5715.  Instructions available in this Microsoft KB article.

It’s important to note the the Creative Labs AutoUpdate Engine ActiveX is included by default with many hardware devices that Creative Labs distributes.  The hardware and software products listed below depend on the vulnerable ActiveX for updates:

Sound cards:
Audigy
Audigy 2
Audigy 2 LS
Audigy 2 NX
Audigy 2 Platinum
Audigy 2 Platinum eX
Audigy 2 Value
Audigy 2 ZS
Audigy 2 ZS Gamer
Audigy 2 ZS Notebook
Audigy 2 ZS Platinum
Audigy 2 ZS Platinum Pro
Audigy 2 ZS Video Editor
Audigy 4 Pro
Audigy Gamer
Audigy LS
Audigy MP3+
Audigy Platinum
Audigy Platinum eX
Live! 24-bit
Live! 24-bit External
Live! 5.1
Live! 5.1 Digital (Dell)
Live! ADVANCED MB
MP3 +
Sound Blaster Audigy 2 ZS Digital Audio
Sound Blaster Audigy ADVANCED MB
Sound Blaster X-Fi Fatal1ty
Wireless Music
X-Fi Elite Pro
X-Fi Platinum
X-Fi XtremeMusic

USB Sound Blaster:
Audigy 2 NX
MP3 +

Portable Audio:
MuVo
MuVo NX
MuVo Slim
MuVo TX
MuVo TX FM
MuVo² X-Trainer
MuVo²
MuVo² FM
NOMAD II 32MB
NOMAD II MG
NOMAD IIc
NOMAD Jukebox 3
NOMAD Jukebox ZEN
Rhomba

Portable Media Players:
ZEN Portable Media Center
ZEN Vision 30GB

MP3 Players:
MuVo
MuVo 2.0 / MuVo Mix
MuVo Micro
MuVo NX
MuVo Slim
MuVo Sport C100
MuVo TX
MuVo TX FM
MuVo V200
MuVo² X-Trainer
MuVo²
MuVo² FM
NOMAD II 32MB
NOMAD II MG
NOMAD II MG Limited Edition
NOMAD IIc
NOMAD JukeBox
NOMAD Jukebox 10GB
NOMAD Jukebox 2
NOMAD Jukebox 3
NOMAD Jukebox C
NOMAD Jukebox ZEN
NOMAD Jukebox ZEN NX
NOMAD Jukebox ZEN USB 2.0
Rhomba
ZEN 20GB
ZEN Micro
ZEN Nano 512MB
ZEN Nano Plus
ZEN Neeon 5GB/6GB
ZEN Portable Media Center
ZEN Sleek
ZEN Touch
ZEN Vision 30GB
ZEN Xtra

Web Cameras:
Creative PC-CAM 900
Creative WebCam Vista
Game Star
Live! Ultra for Notebooks
PC-CAM 880
WebCam Instant
WebCam Instant
WebCam Live!
WebCam Live! Pro
WebCam Live! Ultra
WebCam Notebook
WebCam NX
WebCam NX Pro
WebCam NX Ultra
WebCam Vista

Video:
Audigy 2 ZS Video Editor

Wireless:
Wireless Music

Notebook Products:
Audigy 2 NX
Audigy 2 ZS Notebook
Live! 24-bit External
Live! Ultra for Notebooks
MP3 +
WebCam Notebook

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

  • Talkback
  • Most Recent of 14 Talkback(s)
It is amazing.
You defend Active-X. Digging deeper, this is a hole in the call to the active X controller. Would it exist without Active-X? Would 1/3 of Windows machines in the US (estimates) be botted and compro... (Read the rest)
Posted by: TripleII Posted on: 05/30/08 You are currently: a Guest | | Terms of Use
Perhaps the practical solution...  johnay | 05/30/08
No solution!? Stop using Active-X (nt)  TripleII | 05/30/08
Do you know what ActiveX is?  mdemuth | 05/30/08
Active-X is by far the #1 infection vector ever known.  TripleII | 05/30/08
Your lack of understanding is clear  mdemuth | 05/30/08
Seeing boogymen that don't exist.  TripleII | 05/30/08
the title of this news is wrong because there's not a flaw in activex  qmlscycrajg | 05/30/08
You're right  Ryan NaraineZDNet Moderator | 05/30/08
What about the snippet?  TripleII | 05/30/08
Please educate yourself  mdemuth | 05/30/08
Educate Yourself.  TripleII | 05/30/08
You are quoting it wrong  mdemuth | 05/30/08
It is amazing.  TripleII | 05/30/08
Does IE7's ActiveX Opt-in prevent this?  PB_z | 05/30/08

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Recent Entries

Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors
The best support in the Linux business
If Linux is going to power your mission-critical applications, you'd better have the best support known to business. Novell was rated the top provider of Linux technical support.
Learn more >>
Reduce risk. Reduce complexity. Increase reliability.
A simplified IT environment isn't just less complex. It's also more reliable. Standardize on a single Linux platform with SUSE Linux Enterprise from Novell, and get the world's most interoperable Linux
Learn more >>
The more you simplify, the more you save
When you transition from your existing Red Hat environment to SUSE Linux Enterprise from Novell, you can recognize dramatic cost savings, perhaps as much 50%
Learn more >>
Keep Up With The Latest In Document Management with The DocuMentor.
Doc delivers the scoop on today's enterprise content management, printer maintenance, and all other issues related to document management. It's the DocuMentor Blog.
Learn more >>
Microsoft Dynamics CRM Online - Free Six-Month Trial for Eligible Organizations
Microsoft Dynamics CRM Online provides fast online access, simple contact management and better sales performance for a low monthly cost - the best value on the market today.
Learn more about the free, six-month trial offer>>
The best support in the Linux business
If Linux is going to power your mission-critical applications, you'd better have the best support known to business. Novell was rated the top provider of Linux technical support.
Learn more >>
advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads