LDRA Software Technology Information for VU#908801

Particle Software IntraLaunch Application Launcher ActiveX control fails to restrict access to dangerous methods

Status

Affected

Vendor Statement

The LDRA TBbrowse component uses the Microsoft Internet Explorer HTML framework to implement an HTML report viewer. The IntraLaunch.ocx control allows these reports to include active links to other reports.

    The use of IntraLaunch is optional, and the user is asked to confirm their wish to include it as part of the installation.

    As of LDRA 9.45 the ActiveX control can be disabled without loss of report functionality. As of LDRA 9.57, the IntraLaunch ActiveX control is no longer provided.

    Vendor Information

    Disabling IntraLaunch via the “kill-bit” is not a viable option if a user wishes to make use of the intra-report links displayed within TBbrowse.

However, given the vulnerability noted in VU#908801 it is still advisable to take appropriate security measures:
  1. Disable the use of ActiveX controls in the Internet Zone or ensure that any affected machine does not have access to the internet (e.g. via firewall settings).
  2. Ensure that any affected machine does not have access to any other untrusted network that may be used as an attack vector.

    Vendor References

    None

    Addendum

    If you have feedback, comments, or additional information about this vulnerability, please send us email.