Check Point Advisories

Update Protection against GraceNote (CDDB) Control ActiveX Vulnerability

Check Point Reference: CPAI-2006-103
Date Published: 12 Sep 2006
Severity: High
Last Updated: 15 May 2007
Source: FrSIRT/ADV-2006-2562
Industry Reference:CVE-2006-3134
US-CERT VU#701121
Protection Provided by:
Who is Vulnerable? CDDBControl ActiveX Control
Sony CONNECT Player
Sony SonicStage version 3.3
Sony SonicStage version 3.4
Sony SonicStage Mastering Studio version 2.1
Sony SonicStage Mastering Studio version 2.2
Vulnerability Description The Gracenote CDDB ActiveX control is used by Sony products (as well as other vendors) for looking up information about CDs in the Gracenote CD Data Base (CDDB). Gracenote CDDB ActiveX control contains a buffer overflow error. By convincing a user to visit a malicious Web page or open a malicious HTML, an attacker could cause the victim's system to execute arbitrary commands or cause the victim's Web browser to crash.
Vulnerability Status 
Update/Patch AvaliableApply patch:
http://www.gracenote.com/sec062706/GracenoteUpdateForSony.exe
Vulnerability DetailsTo trigger the vulnerability, an attacker can create a malicious Web page that initiates the ActiveX control with a specially-crafted option value. Successful exploitation could result in remote code execution on the victim's system or in the crashing of the user's Web browser, once the malicious page is loaded.

Protection Overview

This website uses cookies to ensure you get the best experience. More Info Got it, Thanks!