Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Update Protection against Liquid XML Studio LtXmlComHelp8.dll ActiveX OpenFile Buffer Overflow Vulnerability

Subscribe

Check Point Reference: CPAI-2010-124
Date Published:
Severity:
Last Updated:
Source: Secunia Advisory: SA38974
Protection Provided by: Security Gateway
  • R75
IPS-1
  • IPS-1
  • IPS-1 NGX R65
Who is Vulnerable?
Liquid Technologies XML Studio 8.061970 and prior
Vulnerability Description
A vulnerability was reported in Liquid XML Studio, an XML editor developed by Liquid Technologies.
The vulnerability is caused due to a boundary error in the LtXmlComHelp8.UnicodeFile.1 ActiveX control (LtXmlComHelp8.dll). This can be exploited to cause a buffer overflow via an overly long argument passed to the "OpenFile()" method. Successful exploitation may allow execution of arbitrary code.
Update/Patch Available
The vendor has not released an advisory addressing this vulnerability.
Vulnerability Details
The flaw is due to a boundary error in the ActiveX object LtXmlComHelp8.dll while handling overly large Filename values passed to the method OpenFile. A remote attacker could exploit the vulnerability via a specially crafted web page that passes the large argument to vulnerable method of the ActiveX control.

Protection Overview
The protection will detect and block attempts to use the Liquid XML Studio ActiveX control in an HTML document.

In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05Protection taband select the version of your choice. 

To configure the defense, select your product from the list below and follow the related protection steps.

Security Gateway: R75

How Can I Protect My Network?
1. In the IPS tab, click Protections > By Protocol > IPS Software Blade > Web Intelligence > HTTP Client Protections > Microsoft Internet Explorer Vulnerabilities.
2. In the right pane, double-click the Liquid XML Studio LtXmlComHelp8.dll ActiveX OpenFile Buffer Overflow protection.
3. In the Protection Details window, click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect), and apply Additional Settings
4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Web Client Enforcement Violation
Attack Information: Liquid XML Studio LtXmlComHelp8.dll ActiveX OpenFile buffer overflow

IPS-1 & IPS-1 NGX R65

How Can I Protect My Network?
1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Application Intelligence > Badfiles, and select the ActiveX Parser protection group.
3. Click User defined bad ActiveX Class ID (IPS-1 NGX R65 only).
4. In the configuration pane, under Settings, check Active.
5. Click on Install Policy.

How Do I Know if My Network is Under Attack?
Upon attack, the following entries will be logged:

Alert Name: Badfiles ActiveX class in HTML file Alert/Filter
Description: User defined bad ActiveX Class ID