{"vuid":"VU#312073","idnumber":"312073","name":"First4Internet CodeSupport ActiveX controls incorrectly marked 'safe for scripting'","keywords":["ActiveX","CodeSupport","Sony DRM","safe-for-scripting","safe for scripting","first4internet","aries.sys","SonyBMG","CodeSupport.ocx"],"overview":"ActiveX controls used to uninstall XCP Digital Rights Management (DRM) software made by First 4 Internet and distributed on some Sony BMG audio CDs is marked \"safe for scripting.\"","clean_desc":"XCP Digital Rights Management (DRM) software by First 4 Internet, which is distributed by some Sony BMG audio CDs. The XCP copy protection software uses \"rootkit\" technology to hide certain files from the user. A problem has been reported in an ActiveX  control used to uninstall this software. It has been reported that upon submitting a request to uninstall the DRM software, the user will receive via email a link to a Sony BMG web page. This page will attempt to install an ActiveX control when it is displayed in Internet Explorer. This ActiveX control is marked \"Safe for scripting,\" which means that any web page may be able to utilize the control and its methods. Some of the methods provided by this control appear to present security problems, as they may allow an attacker to download and execute arbitrary code.","impact":"It has been reported the ActiveX control used to uninstall XCP DRM software may allow remote attackers to download and execute arbitrary code on vulnerable systems. The ActiveX control will only execute code that is packaged in a certain file format.","resolution":"Apply a patch from Microsoft Microsoft has included updates in its December 2005 Security Bulletin MS05-054 that kills the known CLSIDs associated with CodeSupport ActiveX control. http://www.microsoft.com/technet/security/bulletin/ms05-054.mspx Manually set the Kill Bit for each CLSID for the ActiveX control Set the kill-bit for the following CLSIDs after uninstalling the XCP DRM software. 4EA7C4C5-C5C0-4F5C-A008-8293505F71CC 7965A6FD-B383-4658-A8E0-C78DCF2D0E63 9A60A782-282B-4D69-9B2A-0945D588A125 80E8743E-8AC5-46F1-96A0-59FA30740C51 See MIcorosft Knowledgebase Article BLAH for more information about this procedure.","workarounds":"As an alternative, disable ActiveX controls in Internet Explorer after uninstalling the XCP DRM software. Removing the vulnerable controls may also limit the potential risk reported for the CodeSupport control: cmd /k del \"%windir%\\downloaded program files\\codesupport.ocx\"","sysaffected":"","thanks":"This report has been publicly credited to Matti Nikki, with additional information provided\n by J. Alex Halderman and Ed Felten.","author":"This document was written by Jeffrey Havrilla.","public":["http://hack.fi/~muzzy/sony-drm/","http://www.freedom-to-tinker.com/?p=927","http://secunia.com/advisories/17610/","http://www.osvdb.org/displayvuln.php?osvdb_id=20887","http://www.securityfocus.com/bid/15430","http://www.frsirt.com/english/advisories/2005/2454"],"cveids":["CVE-2005-3650"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2005-11-15T20:25:40Z","publicdate":"2005-11-15T00:00:00Z","datefirstpublished":"2005-11-16T20:15:38Z","dateupdated":"2005-12-07T22:19:38Z","revision":24,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"20","cam_exploitation":"0","cam_internetinfrastructure":"3","cam_population":"5","cam_impact":"15","cam_easeofexploitation":"15","cam_attackeraccessrequired":"16","cam_scorecurrent":"7.7625","cam_scorecurrentwidelyknown":"7.7625","cam_scorecurrentwidelyknownexploited":"14.5125","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":7.7625,"vulnote":null}