Fortinet Discovers IBM SPSS Statistics ActiveX Control Arbitrary Code Execution Vulnerability
Summary
Fortinet's FortiGuard Labs has discovered an arbitrary code execution vulnerability in IBM SPSS Statistics ActiveX control.IBM SPSS Statistics is an integrated family of products that addresses the entire analytical process, from planning to data collection to analysis, reporting and deployment. SPSS Statistics is loaded with powerful analytic techniques and time-saving features to help you quickly and easily find new insights in your data, so you can make more accurate predictions and achieve better outcomes for your organization.
The vulnerability exists due to insufficient sanitizing of the parameter value passed to the function 'LongAsObject'. This could allow an attacker to pass malicious parameter value to the ActiveX control, resulting in arbitrary code execution on the victim's system.
Solutions
FortiGuard Labs released the following FortiGate IPS signature which covers this specific vulnerability:IBM.SPSS.Statistics.ActiveX.Arbitrary.Code.Execution
Released Apr 29, 2015
Users should apply the solution provided by IBM.