Security flaw found in ActiveX Control used by Symantec’s WinFax PRO
An important update to all WinFax PRO fax users
UPDATED NEWS : Microsoft releases “ActiveX Killbits” Security Patch for XP February 9th, 2010 (See below)
A security flaw (called a Remote Buffer overflow) with a specific ActiveX Control that is used by WinFax PRO was reported. This type of security flaw is fairly common with ActiveX controls, and effects many programs out there. Recently the same security risks were identified in Facebook & Yahoo Music ActiveX controls. The flaw allows a script (on a Web page that you visit) to execute a program on your computer. When these risks are identified, Microsoft releases a security update to the operating system that fixes these holes.
For this flaw to effect you, you’d have to 1) Have WinFax PRO, TalkWorks PRO or WinFax Basic Edition installed 2) be tricked to visiting a Web page set up with this exploit, and 3) click “Yes” to allow the ActiveX component to run (it is preferred that you don’t allow ActiveX components to automatically run, so beware and check your settings in IE)
We’ve tested the “proof of concept” test script in Internet Explorer and our AVG Anti-Virus detected it immediately and prevented the script from executing. However, one user commented to us that a carefully encoded script could bypass current Anti-virus detection. We’ve determined this Fax Viewer flaw effects all versions of WinFax PRO (from 8.0 to 10.04) and TalkWorks PRO (2.0 and 3.0) and all WinFax Basic Editions.
Symantec’s Security team response was they would not be updating the effected file since they discontinued sales and support of WinFax PRO in 2006.
How to protect myself?
We have included a free tool (WinFax Tools) which sets the “killbit” for this WinFax specific ActiveX control in the Windows registry. A “killbit” disables the WinFax ActiveX control from executing in Internet Explorer and Microsoft Explorer. This doesn’t effect the normal operation of WinFax PRO but will disable any custom written (WinFax SDK) applications that may use this WinFax Viewer Control from a Web page.
- Click here to download WinFax Tools
- Click the “No Operator Code” button when prompted
- Click the “Fix Viewer DLL Security” button to set the “Killbit” for the WinFax ActiveX Control.
- Click ”Yes” when prompted.
- You’re done, and are now protected from this security risk.
This type of security flaw is common with many ActiveX components used in applications, not just WinFax. Facebook & Yahoo ActiveX controls have recently been indentified with the same risks. It always recommended to follow safe surfing practices, have anti-virus enabled and a firewall, keep your Microsoft Windows OS updated with the latest security patches released by Microsoft, don’t allow ActiveX controls to run automatically, and be aware of any ActiveX controls that you allow to run.
It’s possible that Microsoft will include a security update (which includes the Killbit) in the near future that would prevent the execution of this specific ActiveX control. We recommend you take action now, instead of waiting for Microsoft to release Killbit Security updates.
UPDATE March 2010: In a Windows XP update that was released February 9th, 2010, this security flaw was finally addressed. The actual update released by Microsoft is: Microsoft Security Bulletin MS10-008 – Critical Cumulative Security Update of ActiveX Kill Bits (978262). If you have already downloaded this security update for Windows XP, then your system will already have the necessary ActiveX Kill bits set for the WinFax PRO ActiveX control. You can still download WinFax Tools and check to see if the ActiveX kill bit was applied properly by Windows XP Update. If your system has the Killbit set, the WinFax Tools program will indicate it has already been applied.
Here are some links to interesting applications and technical articles on ActiveX controls and Killbits for those interested in learning more about “Killbits” and security issues with ActiveX controls.
Killbit Explorer application (lets you see all ActiveX controls that have killbits set.) http://code.msdn.microsoft.com/killbitexplorer
How to disable ActiveX controls from running in Internet Explorer and Windows Explorer http://support.microsoft.com/kb/240797
Article on ActiveX Controls and Security http://www.infoworld.com/d/security-central/security-pros-kill-activex-164?page=0,0
Symantec’s Official Report on this flaw http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=23348