SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#701121

Gracenote CDDB ActiveX control buffer overflow

Overview

The Gracenote CDDB ActiveX control contains a buffer overflow vulnerability, which may allow a remote attacker to execute arbitrary code on a vulnerable system.

I. Description

CDDB

CDDB (CD Data Base) is an internet database provided by Gracenote. CDDB contains track lists and other information about music CDs.

CDDB ActiveX control

The CDDB ActiveX control is a COM object that allows applications to query the CDDB to retrieve music CD information. Gracenote has provided versions of the CDDB ActiveX control to multiple vendors. These versions may use unique file names and GUIDs. Applications that work with audio CDs are the most likely ones to provide the Gracenote CDDB ActiveX control.

The problem

The CDDB ActiveX control contains a buffer overflow vulnerability.

II. Impact

By convincing a user to view a specially crafted HTML document (e.g., a web page, HTML email message, or attachment), an attacker may be able to execute arbitrary code with the privileges of the user. The attacker could also cause IE (or the program using the WebBrowser control) to crash.

III. Solution

Apply an update

Sony users should apply an update, as specified by the Gracenote Security Update.
Nokia PC Suite users should install the PC Suite Version 6.8 Update.
KDDI au Music Port users should install au Music Port 2.10 or later, as specified by the KDDI security alert.
JustSystem BeatJam 2006 users should apply an update, as specified by the Gracenote Security Update.
This issue is addressed by AOL 9.0 automatic updates. Log in to the AOL service to receive the appropriate update automatically. Users with AOL older than version 9.0 are recommended to upgrade to the latest version of AOL.
Users of other Gracenote-enabled software should run the update utility provided by Gracenote. This will disable vulnerable versions of the control that do not have updates available.

Disable the CDDB control

Disable the CDDB control by setting the kill bit as described in Microsoft Knowledge Base article 240797. The most common CLSIDs for the CDDB control are:

    {F4BAFF02-F907-11D2-8F8F-00C04F4C3B9F}
    {229b78d5-38f5-11d5-9001-00c04f4c3b9f}
This will prevent the CDDB control from being used in Internet Explorer, but should not interfere with other applications that happen to use the control.

Disable ActiveX

Disabling ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this vulnerability. Instructions for disabling ActiveX in the Internet Zone can be found in the "Securing Your Web Browser" document and the Malicious Web Scripts FAQ.

Note that disabling ActiveX controls in the Internet Zone will reduce the functionality of some web sites.

Systems Affected
VendorStatusDate NotifiedDate Updated
America Online, Inc.Vulnerable8-Dec-2006
GracenoteVulnerable28-Jun-2006
NokiaVulnerable29-Jun-2006
Sony CorporationVulnerable27-Jun-2006

References

http://www.us-cert.gov/reading_room/securing_browser/#Internet_Explorer
http://www.gracenote.com/corporate/FAQs.html/faqset=security/page=0
http://www.gracenote.com/sec062706/SonySecurityNotification.html
http://www.gracenote.com/sec062706/JustSystem_Security_Notice.html
http://europe.nokia.com/nokia/0,,93034,00.html
http://www.microsoft.com/com/default.mspx
http://jvn.jp/cert/JVNVU%23701121/
http://osvdb.org/displayvuln.php?osvdb_id=26874
http://www.zerodayinitiative.com/advisories/ZDI-06-019.html
http://secunia.com/advisories/20861/
http://secunia.com/advisories/20862/
http://secunia.com/advisories/23043/
http://www.au.kddi.com/service/lismo/music_port_caution.html
http://secunia.com/advisories/23043/

Credit

Thanks to Dan Plakosh of CERT/CC and Richard Smith for reporting this vulnerability.

This document was written by Will Dormann.

Other Information

Date Public:2006-06-27
Date First Published:2006-06-27
Date Last Updated:2007-08-15
CERT Advisory: 
CVE-ID(s):CVE-2006-3134
NVD-ID(s):CVE-2006-3134
US-CERT Technical Alerts: 
Metric:7.46
Document Revision:23

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Produced 2006 by US-CERT, a government organization
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader