-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2012.0023
         Rational Rhapsody for Windows Blueberry FlashBack ActiveX
                          Control vulnerabilities
                              4 January 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Rational Rhapsody for Windows prior to 7.6.1
Publisher:         IBM
Operating System:  Windows 7
                   Windows Server 2008
                   Windows Server 2008 R2
                   Windows Vista
                   Windows XP
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2011-1392 CVE-2011-1391 CVE-2011-1388

Original Bulletin: 
   http://www-01.ibm.com/support/docview.wss?uid=swg21576352

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Rational Rhapsody for Windows Blueberry FlashBack ActiveX
Control vulnerabilities (CVE-2011-1388, CVE-2011-1391, CVE-2011-1392)

Flash (Alert)

Abstract

There are multiple high risk security vulnerabilities with the Blueberry
FlashBack ActiveX control shipped by IBM Rational Rhapsody for Windows V7.6
and earlier versions. Problem occurs outside Rhapsody when control is invoked
as ActiveX by Microsoft Internet Explorer.

Content

VULNERABILITY DETAILS:

CVE IDs: CVE-2011-1388, CVE-2011-1391, CVE-2011-1392

DESCRIPTION: It is possible for an attacker to compromise the Blueberry
FlashBack ActiveX control ("BB FlashBack Recorder.dll") used within Rational
Rhapsody for Windows to remotely execute arbitrary code by instantiating this
control from Microsoft Internet Explorer Web browsers. Known methods of
exploiting the vulnerabilities in this control include Start(), PauseAndSave(),
InsertMarker(), InsertSoundToFBRAtMarker() and TestCompatibilityRecordMode().
For a remote attacker to exploit these vulnerabilities in Rhapsody releases,
the following must be accomplished:

	* The user must have Rational Rhapsody installed on the machine.
        	* Important Note: Continuous use of Rhapsody is not required;
		the vulnerabilities may be exploited against the ActiveX
		control regardless of the use of the product.
	
	* Attacker needs to create malicious code that would exploit the
	ActiveX control. This code could be part of an attachment by means of
	e-mail or a Web page.
    	
	* User must be persuaded to execute the attachment or follow a Web site
	link that contains the malicious code via the Microsoft Internet
	Explorer Web browser.
    	
	* On Internet Zone, the user must authorize the ActiveX pop-up dialog
	before it could be used.
    	
	* As of December 21, 2011, IBM has not received any reports of customer
	issues related to these security vulnerabilities. These vulnerabilities
	were reported to IBM by the TippingPoint Zero Day Initiative (ZDI) and
	discovered by a third-party researcher.

These vulnerabilities were discovered by Andrea Micalizzi aka rgod, working
with TippingPoint's Zero Day Initiative (ZDI).

CVSS:

Using the Common Vulnerability Scoring System (CVSS) v2, the security rating
for all of these issues is:

CVSS Base Score: 9.3

CVSS Temporal Score: See the corresponding X-Force reference for each

CVE for the current score:

CVE-2011-1388 - http://xforce.iss.net/xforce/xfdb/71694

CVE-2011-1391 - http://xforce.iss.net/xforce/xfdb/71803

CVE-2011-1392 - http://xforce.iss.net/xforce/xfdb/71804

CVSS Environmental Score*: Undefined

CVSS String: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

AFFECTED PLATFORMS:

    Rational Rhapsody for Windows V7.5.x
    Rational Rhapsody for Windows V7.6 

REMEDIATION:

The recommended solution is to apply the upgrade to Rhapsody V7.6.1 as soon as
practical. Or apply the workaround as soon as possible, if an upgrade is not an
option or will be done in the future.

Fix:

Upgrade to the latest version of Rational Rhapsody (V7.6.1) available from
http://www-01.ibm.com/support/docview.wss?uid=swg24031530

Workaround(s):

	Option #1 - Disable the use of the vulnerable ActiveX control within
    	Internet Explorer.
    	
	Option #2 - Disable ActiveXProperly securing your Web browser to limit
    	ActiveX controls can help avoid this issue. Limiting the ActiveX
	controls would both notify the user, and force the user to take some
	action to allow the ActiveX functionality.

	Note: The Firefox browser does not support ActiveX controls. 

Option #1 - Disable the use of the vulnerable ActiveX control within Internet
Explorer Disclaimer This solution contains information about modifying the
system registry. Before making any modifications to the Microsoft Registry
Editor, it is strongly recommended that you make a backup of the existing
registry. For more information describing how to back up the registry, refer to
Microsoft Knowledge Base article 256986

The vulnerable ActiveX control can be disabled in Internet Explorer by setting
the kill bit. Execute the following steps to disable the vulnerable ActiveX
control in Internet Explorer:

    	* Copy the attached reg file at the end of this document to the
	desktop. Ensure you are executing this file with the appropriate
	permissions required to modify the operating system registry.

	Note: The registry file contains the following entry (if you are not
	able to download the file at end of document):

   	Windows Registry Editor Version 5.00
	[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A3CD4BF9-EC17-47A4-833C-50A324D6FF35}]
	"Compatibility 	Flags"=dword:00000400

	[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{A3CD4BF9-EC17-47A4-833C-50A324D6FF35}]
	"Compatibility Flags"=dword:00000400

	* Double-click the "CFM kill-bit.reg" file.
    	* You will be prompted with a dialog box asking: "Are you sure you want
	to add the information in <path> to the registry?"
    	* Click Yes
    	* You will be prompted with another dialog where it confirms the
	successful addition of entries into registry
    	* Click OK

More information about how to set the kill bit is available in Microsoft Support
Document 240797.

Option #2 - Disable ActiveX Disabling all ActiveX controls in the Internet Zone
(or any zone used by an attacker) can prevent exploitation of this and other
ActiveX vulnerabilities, although it might lead to usability issues with sites
that might require it. http://securitywatch.eweek.com/browsers/how_to_disable_activex_controls_in_internet_explorer_1.html

Mitigation(s):

None known, apply fixes.

Important Note: FlashBack is a third-party control that may have been installed
by other applications. If other applications are using FlashBack, you must also
implement the workaround. You should contact the appropriate vendor or vendors
whose applications also use FlashBack.

REFERENCES:

    Complete CVSS Guide
    On-line Calculator V2
    CVE-2011-1388 - http://xforce.iss.net/xforce/xfdb/71694
    CVE-2011-1391 - http://xforce.iss.net/xforce/xfdb/71803
    CVE-2011-1392 - http://xforce.iss.net/xforce/xfdb/71804

*The CVSS Environment Score is customer environment specific and will ultimately
impact the Overall CVSS Score. Customers can evaluate the impact of this
vulnerability in their environments by accessing the links in the Reference
section of this Flash.

Note: According to the Forum of Incident Response and Security Teams (FIRST),
the Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF
ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY
ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBTwPhW+4yVqjM2NGpAQI2rg/+Ir2l4Og+6G3NE7Tnycb7Wvo+N92IXdoZ
PEJfL9YnK2LThYZc/8UczCIvfFSaKBiaCSwgmbwRsTFFSuLwWAkvCuutukDzz48e
oZjCsCykVmLkCe7qTMsFzjiVYR+bulazEYbA8xaWtUWjle31ZvUGGlrYjlJ3E4xK
vnQc+AFwwjIZyqpYENQA8ZL/AuHlYNnsb2WwiwO5Ih1a7CbkG/9FmB2qNYBEmkGx
tgagZFLmIMgJxWr1zGl3Ej/7x24QLc0L3mIcQ+d3OODhbZ4up2D7fAt0hIMlWeyK
a5nXx2tTrMhT7AiPOvnAiX1JxjibwSM3XfUFg1GsnKwSI3kZfldZ7UL+Zrt+VoL1
yU379Upg4faBOgxUcuf+f5oyciDiFlqoR4rBgfYjhDGa+oxpIqNnlo5vxpzUimWY
O7fmucFbf+NsvCXrC2GJX3becRj2ltm1/nzEsId5VgwznT/dM0KNH3TMqwfhYLOz
mjDrsYHt2V2Px9WjWkeXm6rUq0Mom9jy1Wg01bXhie3ozovylGpSH9GrtVahj2gL
M6Emd017YSzGknebnO5NJs2NXrJEUvHYdjHELUPDIpoeavOUKH5+34o3DNAnzlBX
1LAoY94Ir24j1bnfCzo0cV9bNUyxgHtdwaQZRJvd3bcwcFawFr6+oF6DKPaRDhDa
f+WEiRWEPfc=
=j/Va
-----END PGP SIGNATURE-----