Vulnerability found in IBM statistical analysis suite

CISOs worry about vulnerabilities in the most commonly-attacked platforms in their inventory — Web servers, password databases, Flash, operating systems and productivity software. They rarely think about other applications.

But IBM has warned of a hole in a statistical analysis application that few IT pros have an eye on but accesses valuable data: IBM’s SSP Statistics.

The company says version 22 of the suite has an ActiveX control vulnerability on Win32 platforms that could allow a remote attacker to execute arbitrary code.

“By persuading a victim to visit a specially-crafted Web page with Internet Explorer, a local attacker could exploit this vulnerability to execute arbitrary code on the system or cause the application to crash,” IBM [NYSE: IBM] said in a security bulletin.

It has issued an interim fix. Another option is upgrading to the latest version of the suite.

According to security vendor Fortinet,  credited for discovering the problem, version 22 of SPSS Statistics isn’t the current version (version 23 was issued in March), which is unaffected. However, it believes many organizations that use the suite haven’t upgraded.

Since the ActiveX control is not marked as “safe for scripting”, the vulnerability should be difficult to be exploited remotely, Fortinet says.

Still, because SPSS users often deal with a lot of valuable intellectual property it has the potential to expose high-value data to hackers.

The vulnerability exists due to insufficient sanitizing of the parameter value passed to the function ‘LongAsObject,’ says Fortinet. This could allow an attacker to pass malicious parameter value to the ActiveX control, resulting in arbitrary code execution on the victim’s system.

ActiveX controls have long been a vector for attackers to leverage. It’s one reason why the upcoming desktop version of Windows 10 won’t support ActiveX or other extensions. Instead Microsoft is developing a new extension model around HTML 5.

IBM bought SPSS in 2009 for US$1.3 billion.

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web