-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2013.0497
       Security Vulnerability for ActiveX Control packaged with IBM
            Cognos Disclosure Management Client (CVE-2013-0501)
                               9 April 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Cognos Disclosure Management
Publisher:         IBM
Operating System:  Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Access Confidential Data        -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2013-0501  

Original Bulletin: 
   http://www-01.ibm.com/support/docview.wss?uid=swg21627070

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Vulnerability for ActiveX Control packaged with IBM Cognos Disclosure 
Management Client (CVE-2013-0501)

Flash (Alert)

Document information

Cognos Disclosure Management

Software version:
10.2

Operating system(s):
Windows

Reference #:
1627070

Modified date:
2013-04-05

Abstract

A third party ActiveX control (EdrawSoft) may have been registered in the 
Windows registry by the CDM client installation process. This ActiveX control 
contains a security vulnerability that could allow unauthorized file access to 
the user's machine from malicious web sites.

Content

VULNERABILITY DETAILS:

CVSS:
Using the Common Vulnerability Scoring System (CVSS) v2, the security ratings 
for these issues are:

CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/82345 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)


DESCRIPTION:

The EdrawSoft ActiveX control is marked as "safe for scripting", meaning that 
once installed on a client machine, it can be controlled from web pages. Users
that visit malicious web sites on the Internet can have their local files 
uploaded to these websites or binary files forcefully downloaded onto their 
machines. Newly downloaded binary files can also be executed from the malicious
web page.

AFFECTED PRODUCTS:
IBM Cognos Disclosure Management 10.2.0

REMEDIATION:
The registration of the ActixeX control should be removed from the Windows 
registry to prevent any security vulnerabilities. This will not affect how the
ActiveX control works within the CDM product; it will just remove access from 
outside the application.

The following registry keys should be removed if they exist:

[HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{7677E74E-5831-4C9E-A2DD-9B1EF9DF2DB4}]

[HKEY_CLASSES_ROOT\CLSID\{7677E74E-5831-4C9E-A2DD-9B1EF9DF2DB4}]

[HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{4059A851-1706-46D5-A0AF-FD9AE0A43E70}]

[HKEY_CLASSES_ROOT\CLSID\{4059A851-1706-46D5-A0AF-FD9AE0A43E70}]

[HKEY_CLASSES_ROOT\EDOFFICE.EDOfficeCtrl.1]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{9EF5199D-83D8-43DE-98A9-DA5BC5F17836}]

[HKEY_CLASSES_ROOT\Interface\{08FDACA2-7D6F-4F01-9318-32CFB9B39E66}]

[HKEY_CLASSES_ROOT\Wow6432Node\Interface\{08FDACA2-7D6F-4F01-9318-32CFB9B39E66}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{08FDACA2-7D6F-4F01-9318-32CFB9B39E66}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08FDACA2-7D6F-4F01-9318-32CFB9B39E66}]


It is recommended that the registry keys are backed up prior to making any changes.

Please refer to the instructions below for backing up and deleting a registry key:

    Log in to the machine as a local administrator.
    Open the registry editor (regedit at command line).
    Locate and click on the key that is to be removed.
    Click on the File menu and select 'Export'.
    In the Save In box, please select the location to save the file to and an appropriate file name. Click save.
    Delete the key by right clicking on the key and selecting 'Delete'.
    To restore a key, double click on the saved .reg file.


This issue has been corrected in an update from EdrawSoft and will be included 
in future releases of CDM.

For more assistance, please contact IBM Support.


REFERENCES:

    Complete CVSS Guide
    On-line Calculator V2
    CVE-2013-0501
    X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/82345

RELATED INFORMATION:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

CHANGE HISTORY
5 April 2013: Original Copy Published 


Copyright and trademark information

IBM, the IBM logo and ibm.com are trademarks of International Business Machines 
Corp., registered in many jurisdictions worldwide. Other product and service 
names might be trademarks of IBM or other companies. A current list of IBM 
trademarks is available on the Web at "Copyright and trademark information" at 
www.ibm.com/legal/copytrade.shtml.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUWOSbO4yVqjM2NGpAQIa/Q//R0vcAOvS7pQiWff3ApGqEUxTL/vuxr7z
c3LTvexuIiSrcS31mhVYD/7qbsycLzpIEfZlZ7Vrg47yVY7Mqn5GiQ/FU5GA3nQm
cD/K5WA0JgCtshY3egRFIY2nnoXp+S/3s43GcI7cwHKbogEUIWyMcmbCPB6dBK6Q
/db6m7vdvVac6YxJY62PCn5LjIDLr/CI2SMRN/guTqudnX/2ARqyCY709ZxODmVv
tI9eKTF+0XoxxBDPtKTGSaBX4f+ysG1tlnzYlaXSrZ9FK8NzujHUh+aXoCA5INwL
qIR0zCnJ/noBH7no/S9vTk6tGn7gRT+WG+SOoxgVJOQ6xNEN9tUIWH9JqJFdlTfM
ZCTHatGegg1cO8E2vNgMo4LW8lGblEO5C/LjS/ukt5wiZEJ2gb9QAVojdbWpnvwf
gEP8mOCr310rFOqi47QYmME1e55ybZEIgQ8NZps+va/MYz8uNKK9IUK/VyfgCTIa
w/x8wxANk67H5qPN76nAfyGaizQ6qDxfKVFh1KVEKz+wltbcEVGWZeNVYqvgwtiK
KrdSm+o2blg7iGDyG8XWfO1X6AJ1RQLUxz7976NIH0DP1gF2Osr6GTnen3QMKhVP
65bmsz2SEY2kq30nGYJu7r3xgQzUxTbL1UdOqAZayXfB0oqqszH7Fq7Aln8FrNzP
5sFNC10hnDc=
=v75j
-----END PGP SIGNATURE-----