Welcome Guest! To enable all features, please Login or Register.

Notification

Icon
Error

Options
View
Last Go to last post Unread Go to first unread post
#1 Posted : Wednesday, December 16, 2015 8:01:01 AM(UTC)
MarkGinsberg

Groups: Registered
Posts: 1


We are currently using LeadTools v19 in our product. We've received a query from a customer about a known security issue with a DLL that you include in your product, NCSECW.DLL. The issue, CVE-2010-3599, was reported against an Oracle product but the actual security issue is in the DLL and not in the Oracle product specifically. From the properties on the file you distribute we know that the DLL comes from a third party company, Earth Resource Mapping.


The security hole comes from the fact that the DLL is registered as a COM server which can be started via an HTML page as an ActiveX control. Once started the function WriteJPG can be called and that can result in a buffer overrun.


One possible solution is to not register the DLL but we don't know if that is possible or if your code requires it to be registered. Also, give that we don't register it we can't tell if the DLL self registers or if your code is doing the registration. We know we can potentially set the OS "kill bit" for the file but again we don't know if that will break anything your libraries require.


Have you been notified about this problem previously and if so what is the response to the report? If not, can you please research and provide a response?


If it helps here are some resources on the problem:

http://www.security-database.com/detail.php?alert=CVE-2010-3599

http://www.hexagonsolutions.com.cn/Libraries/Tech_Docs/ECW_JP2_SDK_-_Security_Advisory.sflb.pdf
 

Try the latest version of LEADTOOLS for free for 60 days by downloading the evaluation: https://www.leadtools.com/downloads

Wanna join the discussion? Login to your LEADTOOLS Support accountor Register a new forum account.

#2 Posted : Thursday, December 17, 2015 3:46:22 AM(UTC)
Faris Shahin

Groups: Registered, Tech Support
Posts: 26


Our toolkit does not register this DLL as a COM object. This means unless your installer registers it, or you manually log-in as Administrator and register it yourself (which malicious websites cannot do), it will NOT behave as an ActiveX control.
This mean the way we use this DLL (calling it regular exported functions but not registering its COM/ActiveX interfaces), does NOT pose the risk you described.
Faris Shahin
Developer Support Engineer
LEAD Technologies, Inc.

LEAD Logo
 
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.

Powered by YAF.NET | YAF.NET © 2003-2019, Yet Another Forum.NET
This page was generated in 0.206 seconds.