A third party ActiveX control (EdrawSoft) may have been registered in the Windows registry by the CDM client installation process. This ActiveX control contains a security vulnerability that could allow unauthorized file access to the user’s machine from malicious web sites.
Using the Common Vulnerability Scoring System (CVSS) v2, the security ratings for these issues are:
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/82345 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
The EdrawSoft ActiveX control is marked as “safe for scripting”, meaning that once installed on a client machine, it can be controlled from web pages. Users that visit malicious web sites on the Internet can have their local files uploaded to these websites or binary files forcefully downloaded onto their machines. Newly downloaded binary files can also be executed from the malicious web page.
IBM Cognos Disclosure Management 10.2.0
The registration of the ActixeX control should be removed from the Windows registry to prevent any security vulnerabilities. This will not affect how the ActiveX control works within the CDM product; it will just remove access from outside the application.
The following registry keys should be removed if they exist:
It is recommended that the registry keys are backed up prior to making any changes.
Please refer to the instructions below for backing up and deleting a registry key:
- Log in to the machine as a local administrator.
- Open the registry editor (regedit at command line).
- Locate and click on the key that is to be removed.
- Click on the File menu and select 'Export'.
- In the Save In box, please select the location to save the file to and an appropriate file name. Click save.
- Delete the key by right clicking on the key and selecting 'Delete'.
- To restore a key, double click on the saved .reg file.
This issue has been corrected in an update from EdrawSoft and will be included in future releases of CDM.
For more assistance, please contact IBM Support.
- Complete CVSS Guide
- On-line Calculator V2
- X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/82345
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
5 April 2013: Original Copy Published