May 30th, 2008
ActiveX control bug bites Creative Labs AutoUpdate engine
A high-severity security flaw in the Creative Software automatic update engine could put Windows computers at risk of remote code execution attacks, according to a warning from the US-CERT (Computer Emergency Readiness Team).
The vulnerability affects the software used to provide updates to Creative Labs’ audio/video entertainment product line, which includes the popular Zen MP3 player line.
This line in the US-CERT advisory is the most important: “We are currently unaware of a practical solution to this problem.”
eEye Digital Security, the company credited with reporting the bug, says a proof-of-concept is available on a public exploit site.
Vulnerability description:
The Creative Software AutoUpdate Engine ActiveX control is a component that provides automatic update capabilities to Creative Labs software. This ActiveX control is provided by the file CTSUEng.ocx. The Create Software AutoUpdate Engine ActiveX control is marked Safe For Scripting and Safe For Initialization, which means that a web page in Internet Explorer has the ability to interact with the control. This ActiveX control contains a stack buffer overflow in the CacheFolder property.
A successful attack will allow remote code execution in the context of the logged in user. eEye warns that ActiveX remote code execution vulnerabilities have very high impacts since the source of the malicious payload can be any site on the Internet.
An even more critical problem is generated when clients are administrators on their local hosts, which would run the malicious payload with Administrator credentials.
Mitigation:
In the absence of a patch, the best form of mitigation is available by setting the CLSID for the buggy ActiveX control: 0A5FD7C5-A45C-49FC-ADB5-9952547D5715. Instructions available in this Microsoft KB article.
It’s important to note the the Creative Labs AutoUpdate Engine ActiveX is included by default with many hardware devices that Creative Labs distributes. The hardware and software products listed below depend on the vulnerable ActiveX for updates:
Sound cards:
Audigy
Audigy 2
Audigy 2 LS
Audigy 2 NX
Audigy 2 Platinum
Audigy 2 Platinum eX
Audigy 2 Value
Audigy 2 ZS
Audigy 2 ZS Gamer
Audigy 2 ZS Notebook
Audigy 2 ZS Platinum
Audigy 2 ZS Platinum Pro
Audigy 2 ZS Video Editor
Audigy 4 Pro
Audigy Gamer
Audigy LS
Audigy MP3+
Audigy Platinum
Audigy Platinum eX
Live! 24-bit
Live! 24-bit External
Live! 5.1
Live! 5.1 Digital (Dell)
Live! ADVANCED MB
MP3 +
Sound Blaster Audigy 2 ZS Digital Audio
Sound Blaster Audigy ADVANCED MB
Sound Blaster X-Fi Fatal1ty
Wireless Music
X-Fi Elite Pro
X-Fi Platinum
X-Fi XtremeMusic
USB Sound Blaster:
Audigy 2 NX
MP3 +
Portable Audio:
MuVo
MuVo NX
MuVo Slim
MuVo TX
MuVo TX FM
MuVo² X-Trainer
MuVo²
MuVo² FM
NOMAD II 32MB
NOMAD II MG
NOMAD IIc
NOMAD Jukebox 3
NOMAD Jukebox ZEN
Rhomba
Portable Media Players:
ZEN Portable Media Center
ZEN Vision 30GB
MP3 Players:
MuVo
MuVo 2.0 / MuVo Mix
MuVo Micro
MuVo NX
MuVo Slim
MuVo Sport C100
MuVo TX
MuVo TX FM
MuVo V200
MuVo² X-Trainer
MuVo²
MuVo² FM
NOMAD II 32MB
NOMAD II MG
NOMAD II MG Limited Edition
NOMAD IIc
NOMAD JukeBox
NOMAD Jukebox 10GB
NOMAD Jukebox 2
NOMAD Jukebox 3
NOMAD Jukebox C
NOMAD Jukebox ZEN
NOMAD Jukebox ZEN NX
NOMAD Jukebox ZEN USB 2.0
Rhomba
ZEN 20GB
ZEN Micro
ZEN Nano 512MB
ZEN Nano Plus
ZEN Neeon 5GB/6GB
ZEN Portable Media Center
ZEN Sleek
ZEN Touch
ZEN Vision 30GB
ZEN Xtra
Web Cameras:
Creative PC-CAM 900
Creative WebCam Vista
Game Star
Live! Ultra for Notebooks
PC-CAM 880
WebCam Instant
WebCam Instant
WebCam Live!
WebCam Live! Pro
WebCam Live! Ultra
WebCam Notebook
WebCam NX
WebCam NX Pro
WebCam NX Ultra
WebCam Vista
Video:
Audigy 2 ZS Video Editor
Wireless:
Wireless Music
Notebook Products:
Audigy 2 NX
Audigy 2 ZS Notebook
Live! 24-bit External
Live! Ultra for Notebooks
MP3 +
WebCam Notebook
For daily updates on Ryan's activities, follow him on Twitter.
| 05/30/08
