Thursday, August 16, 2007

Automated Solutions From IBM/Lenovo Creates Vulnerability

Via heise Security News.

The Automated Solutions software package from IBM/Lenovo, which supports web-interactive system diagnostics and optimisation, introduces a security vulnerability. The software installs an ActiveX module containing vulnerabilities that may allow attackers to inject and execute remote code via specially crafted websites. An update to eliminate the problem is available.

US-CERT has reported multiple security vulnerabilities in the acpRunner ActiveX component, which is contained in the AcpController.dll library. Its function is to download, extract and run software. acpRunner incorrectly verifies digital signatures in downloaded software, possibly allowing attackers to download arbitrary program code onto the computer. The module also contains a format string vulnerability that can be exploited to execute remote code using specially crafted request parameters in websites. Since the module does not verify the domain from which the software originates, attackers can exploit the vulnerabilities from arbitrary websites.

More here.

0 Comments:

Post a Comment

<< Home