IBM Rational System Architect ActiveBar ActiveX Control Lets Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1025464 |
|
SecurityTracker URL: http://securitytracker.com/id/1025464
|
|
CVE Reference:
CVE-2011-1207
(Links to External Site)
|
Updated: Aug 10 2011
|
Original Entry Date: Apr 29 2011
|
Impact:
Execution of arbitrary code via network, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 11.4 and prior versions
|
Description:
A vulnerability was reported in IBM Rational System Architect. A remote user can cause arbitrary code to be executed on the target user's system.
A remote user can create a specially crafted HTML that, when loaded by the target user, will exploit the Save(), SaveLayoutchanges(), SaveMenuUsageData() and SetLayoutData() methods in the ActiveBar ActiveX controls (actbar.ocx and actbar2.ocx) to execute arbitrary code on the target system. The code will run with the privileges of the target user.
The vulnerability resides in the ActiveBar ActiveX controls used by IBM Rational System Architect.
Parvez Anwar reported this vulnerability via Secunia.
|
Impact:
A remote user can create HTML that, when loaded by the target user, will execute arbitrary code on the target user's system.
|
Solution:
The vendor has issued a fix (11.3.1.4: 4029810; 11.4.0.3: 4029808).
Microsoft has also issued a kill-bit as part of Microsoft Security Advisory 2562937 (August 9, 2011):
http://www.microsoft.com/technet/security/advisory/2562937.mspx
The vendor's advisory is available at:
https://www-304.ibm.com/support/docview.wss?uid=swg21497689
|
Vendor URL: www-304.ibm.com/support/docview.wss?uid=swg21497689 (Links to External Site)
|
Cause:
Not specified
|
Underlying OS:
Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Fri, 29 Apr 2011 21:04:28 +0000
Subject: IBM Rational System Architect
|
https://www-304.ibm.com/support/docview.wss?uid=swg21497689
CVE-2011-1207
|
|
