Title: SystemSoft SystemWizard ActiveX Vulnerability
Severity: CRITICAL
Description:
HP Pavilion computers are shipped with SystemWizard, a diagnostic utility. This utility includes two ActiveX controls. Although they can launch programs and access the registry among other things, they are marked safe for scripting and therefore can be called from web pages or HTML email. Microsoft implemented the Authenticode system to improve ActiveX security, but it only warns about downloading ActiveX controls, not running controls already installed or pre-installed on the system.
Quoted from the web page by Richard M. Smith <smiths@tiac.net>:
The two SystemSoft controls are just thin wrappers around a number of Win32 system calls. The Launch ActiveX control allows a JavaScript program to run a DOS or Windows program and pass in command line parameters. The RegObj ActiveX control allows a JavaScript program to read, set, and scan registry keys. The controls are accessed on a Web page simply by including an HTML <OBJECT> tag with appropriate parameters.
Affected Products:
- SystemSoft SystemWizard for HP Pavilion
References:
- Richard M. Smith: New ActiveX security problems in Windows 98 PCs
- SystemSoft: SystemSoft Technical Support: SystemWizard
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
