Knowledge Base

The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides
 
Search the VMware Knowledge Base (KB)   View by Article ID
 

Security Response to Bugtraq 19732, "VMware ActiveX Control Buffer Overflow Vulnerability" (9078920)

Details

Bugtraq 19732 states that an ActiveX control (vmdbCOM) distributed with VMware software is prone to a buffer-overflow vulnerability. The article is found at http://www.securityfocus.com/bid/19732.

Solution

The vmdbCOM component is not marked “safe for scripting,” which initiates warnings before a malicious script can be executed.

There is no privilege escalation with this exploit because vmdbCOM is meant to be used as a component to desktop applications and not as a component that is invoked from a Web page. vmdbCOM does not need to be more safe than any other ActiveX controls installed on the system by any other application.
 
If vmdbCOM were invoked from a Web page, this exploit would require Microsoft Windows to run with Administrator privilege and Internet Explorer to be configured to run unsafe ActiveX controls.
 
The overall safety of a given ActiveX control must be considered not only in terms of the ActiveX control itself (vmdbCOM is no less safe than many other ActiveX controls installed on Windows sytems), but also in terms of the privileges of the process calling it and the trustworthiness of the code controlling that calling process.
 
To avoid malicious scripts that exploit ActiveX controls, do not enable unsafe ActiveX objects in your browser settings. As a best practice, do not browse untrusted Web sites as an Administrator.

Keywords

alertz; urlz;

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 0 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.
What can we do to improve this information? (4000 or fewer characters)
  • 0 Ratings
Actions
KB: