Critical security flaw in SAP GUI

December 1st, 2008 Posted in BASIS, OSS, Security

An ActiveX vulnerability detected in the SAP GUI may possibly be exploited by an attacker to gain access to critical files and sensitive data. According to an advisory issued by the United States Computer Emergency Readiness Team (US-CERT), the vulnerability can be exploited remotely by an unauthenticated hacker. The flaw is in the ActiveX control, MDrmSap, which could crash Internet Explorer when handling malicious code, US-CERT said. The advisory also states that the vulnerable ActiveX control can be disabled in Internet Explorer by setting the appropriate kill bit, or by disabling ActiveX in the Internet Zone,

The Danish vulnerability clearinghouse Secunia gave the flaw a highly critical rating. To exploit the flaw, an attacker must trick a user into viewing a malicious website or email message, Secunia said.

SAP issued an update correcting the flaw. If you don’t have an OSS ID, you can view a PDF copy of the note – However, the one on the SAP site is guaranteed to be up to date, whereas the one here may not be.

This entry was posted on Monday, December 1st, 2008 at 11:47 am and is filed under BASIS, OSS, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
blog comments powered by Disqus