ActiveX module for CD bonus content unsafe
Eminem, Cold Play, 50 Cent, Mariah Carey - there's one thing they all have in common - an application on their CDs which promises additional downloads and content. The program, going by the name of CDPass, analyses the inserted CD and then activates web content if the user can prove that he owns the media.
US-CERT reports, however, that the ActiveX module provided by the file CDPass.dll is vulnerable to numerous buffer overflows. As a result, attackers can inject malicious code via crafted web pages or HTML e-mail and execute it with the user's privileges. US-CERT does not provide any further information in its security advisory.
No update from the vendor, Media Technology Group, is yet in sight. Affected users should therefore either deactivate ActiveX or set the kill bit for this ActiveX control, which has the CLSID {46C66BBD-E667-4dad-9682-58050E7C9FDC}. A Microsoft knowledge base article offers assistance with doing so. (heise Security)
|
