Vulnerability Note VU#701121

Gracenote CDDB ActiveX control buffer overflow

Original Release date: 27 Jun 2006 | Last revised: 15 Aug 2007

Overview

The Gracenote CDDB ActiveX control contains a buffer overflow vulnerability, which may allow a remote attacker to execute arbitrary code on a vulnerable system.

Description

CDDB

CDDB (CD Data Base) is an internet database provided by Gracenote. CDDB contains track lists and other information about music CDs.

CDDB ActiveX control

The CDDB ActiveX control is a COM object that allows applications to query the CDDB to retrieve music CD information. Gracenote has provided versions of the CDDB ActiveX control to multiple vendors. These versions may use unique file names and GUIDs. Applications that work with audio CDs are the most likely ones to provide the Gracenote CDDB ActiveX control.

The problem

The CDDB ActiveX control contains a buffer overflow vulnerability.

Impact

By convincing a user to view a specially crafted HTML document (e.g., a web page, HTML email message, or attachment), an attacker may be able to execute arbitrary code with the privileges of the user. The attacker could also cause IE (or the program using the WebBrowser control) to crash.

Solution

Apply an update
Sony users should apply an update, as specified by the Gracenote Security Update.
Nokia PC Suite users should install the PC Suite Version 6.8 Update.
KDDI au Music Port users should install au Music Port 2.10 or later, as specified by the KDDI security alert.
JustSystem BeatJam 2006 users should apply an update, as specified by the Gracenote Security Update.
This issue is addressed by AOL 9.0 automatic updates. Log in to the AOL service to receive the appropriate update automatically. Users with AOL older than version 9.0 are recommended to upgrade to the latest version of AOL.
Users of other Gracenote-enabled software should run the update utility provided by Gracenote. This will disable vulnerable versions of the control that do not have updates available.


Disable the CDDB control

Disable the CDDB control by setting the kill bit as described in Microsoft Knowledge Base article 240797. The most common CLSIDs for the CDDB control are:

    {F4BAFF02-F907-11D2-8F8F-00C04F4C3B9F}
    {229b78d5-38f5-11d5-9001-00c04f4c3b9f}
This will prevent the CDDB control from being used in Internet Explorer, but should not interfere with other applications that happen to use the control.

Disable ActiveX

Disabling ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this vulnerability. Instructions for disabling ActiveX in the Internet Zone can be found in the "Securing Your Web Browser" document and the Malicious Web Scripts FAQ.

Note that disabling ActiveX controls in the Internet Zone will reduce the functionality of some web sites.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
America Online, Inc.Affected08 Dec 200608 Dec 2006
GracenoteAffected11 May 200628 Jun 2006
NokiaAffected20 Mar 200629 Jun 2006
Sony CorporationAffected15 Mar 200627 Jun 2006
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to Dan Plakosh of CERT/CC and Richard Smith for reporting this vulnerability.

This document was written by Will Dormann.

Other Information

  • CVE IDs: CVE-2006-3134
  • Date Public: 27 Jun 2006
  • Date First Published: 27 Jun 2006
  • Date Last Updated: 15 Aug 2007
  • Severity Metric: 7.46
  • Document Revision: 23

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.