Re: Security issue in NCSECW.dll

We are currently using LeadTools v19 in our product. We've received a query from a customer about a known security issue with a DLL that you include in your product, NCSECW.DLL. The issue, CVE-2010-3599, was reported against an Oracle product but the actual security issue is in the DLL and not in the Oracle product specifically. From the properties on the file you distribute we know that the DLL comes from a third party company, Earth Resource Mapping.


The security hole comes from the fact that the DLL is registered as a COM server which can be started via an HTML page as an ActiveX control. Once started the function WriteJPG can be called and that can result in a buffer overrun.


One possible solution is to not register the DLL but we don't know if that is possible or if your code requires it to be registered. Also, give that we don't register it we can't tell if the DLL self registers or if your code is doing the registration. We know we can potentially set the OS "kill bit" for the file but again we don't know if that will break anything your libraries require.


Have you been notified about this problem previously and if so what is the response to the report? If not, can you please research and provide a response?


If it helps here are some resources on the problem:

http://www.security-database.com/detail.php?alert=CVE-2010-3599

http://www.hexagonsolutions.com.cn/Libraries/Tech_Docs/ECW_JP2_SDK_-_Security_Advisory.sflb.pdf

Our toolkit does not register this DLL as a COM object. This means unless your installer registers it, or you manually log-in as Administrator and register it yourself (which malicious websites cannot do), it will NOT behave as an ActiveX control.
This mean the way we use this DLL (calling it regular exported functions but not registering its COM/ActiveX interfaces), does NOT pose the risk you described.