CISOs worry about vulnerabilities in the most commonly-attacked platforms in their inventory — Web servers, password databases, Flash, operating systems and productivity software. They rarely think about other applications.
But IBM has warned of a hole in a statistical analysis application that few IT pros have an eye on but accesses valuable data: IBM’s SSP Statistics.
The company says version 22 of the suite has an ActiveX control vulnerability on Win32 platforms that could allow a remote attacker to execute arbitrary code.
“By persuading a victim to visit a specially-crafted Web page with Internet Explorer, a local attacker could exploit this vulnerability to execute arbitrary code on the system or cause the application to crash,” IBM [NYSE: IBM] said in a security bulletin.
It has issued an interim fix. Another option is upgrading to the latest version of the suite.
According to security vendor Fortinet, credited for discovering the problem, version 22 of SPSS Statistics isn’t the current version (version 23 was issued in March), which is unaffected. However, it believes many organizations that use the suite haven’t upgraded.
Since the ActiveX control is not marked as “safe for scripting”, the vulnerability should be difficult to be exploited remotely, Fortinet says.
Still, because SPSS users often deal with a lot of valuable intellectual property it has the potential to expose high-value data to hackers.
The vulnerability exists due to insufficient sanitizing of the parameter value passed to the function ‘LongAsObject,’ says Fortinet. This could allow an attacker to pass malicious parameter value to the ActiveX control, resulting in arbitrary code execution on the victim’s system.
ActiveX controls have long been a vector for attackers to leverage. It’s one reason why the upcoming desktop version of Windows 10 won’t support ActiveX or other extensions. Instead Microsoft is developing a new extension model around HTML 5.