There are multiple security vulnerabilities with the mraboutb.dll and ExportHTML.dll ActiveX controls shipped by IBM SPSS Data Collection versions 5.6, 6.0 and 6.0.1 ("Data Collection") and SPSS Dimensions version 5.5 ("Dimensions"). The vulnerabilities allow remote attackers to execute arbitrary code on installations of Data Collection or Dimensions when the control is invoked as ActiveX by Microsoft Internet Explorer.
CVE IDs: CVE-2012-0188, CVE-2012-0190
DESCRIPTION: It is possible for an attacker to compromise the mraboutb.dll and ExportHTML.dll ActiveX controls used within IBM SPSS Data Collection or SPSS Dimensions to remotely execute arbitrary code by instantiating this control from Microsoft Internet Explorer. For a remote attacker to exploit these vulnerabilities in Data Collection or Dimensions releases, the following must be accomplished:
1. User must have IBM SPSS Data Collection or SPSS Dimensions installed on the machine.
Important Note: Execution or use of Data Collection or Dimensions is not required; the vulnerabilities may be exploited against the ActiveX control once Data Collection or Dimensions is installed, regardless of use of the product.
2. Attacker needs to create malicious code that would exploit the ActiveX control. This code could be part of an attachment that a user receives by means of e-mail or by visiting a Web page.
3. User must be persuaded to execute the attachment or follow a Web site link that contains the malicious code via the Microsoft Internet Explorer Web browser.
4. On the internet zone of Microsoft Internet Explorer, the user must affirmatively authorize the ActiveX pop-up dialog before the security vulnerability could be used.
As of January 16, 2012, IBM has not received any reports of customer issues related to these security vulnerabilities.
These vulnerabilities were reported to IBM by the TippingPoint Zero Day Initiative (ZDI) and discovered by a third-party researcher, Andrea Micalizza aka rgod, working with ZDI.
Using the Common Vulnerability Scoring System (CVSS) v2, the security ratings for these issues are:
CVSS Base Score: 9.3
CVSS Temporal Score: See the corresponding X-Force reference for each CVE for the current score:
CVE-2012-0188 – http://xforce.iss.net/xforce/xfdb/72118
CVE-2012-0190 – See http://xforce.iss.net/xforce/xfdb/72121
CVSS Environmental Score: Undefined
CVSS String: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
IBM SPSS Data Collection versions 5.6, 6.0 and 6.0.1 and SPSS Dimensions 5.5.
The recommended solution is to apply the hotfixes as soon as practical.
Install the fix pack(s) for your release. The fix packs are available for IBM Data Collection versions 5.6, 6.0 and 6.01. If you have the SPSS legacy product SPSS Dimensions version 5.5, which is no longer supported by IBM, please contact IBM SPSS Technical Support for assistance with this security vulnerability.
None known, apply the fixes.
Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an “industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.” IBM PROVIDES THE CVSS SCORES “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.