TeamOn Import Object ActiveX control vulnerability

Article ID: KB13142

Type:   Security Advisory

First Published: 05-10-07

Last Modified: 09-02-2010

 

Product(s) Affected:

  • BlackBerry Internet Service
Collapse Products
ExpandAffected Software
  • BlackBerry® Internet Service 2.0
  • Microsoft® Internet Explorer®
  • T-Mobile® My E-mail

Note: The BlackBerry Internet Solution is designed to work with T-Mobile My E-mail to give BlackBerry device users secure, direct access to any combination of registered enterprise, proprietary, Post Office Protocol 3 (POP3), or Internet Message Access Protocol 4 (IMAP4) email accounts on their BlackBerry devices using a single user login account.

To determine which version of the BlackBerry Internet Service you are using, see KB04989.

ExpandAre BlackBerry smartphones and the BlackBerry Device Software affected?
No.
CollapseIssue Severity

This vulnerability has a Common Vulnerability Scoring System (CVSS) score of 8.0 (Critical).

CollapseOverview

A vulnerability identified by the CERT Coordination Center (CERT/CC) exists in the TeamOn Import Object Microsoft ActiveX® control used by BlackBerry Internet Service 2.0 on the BlackBerry Internet Service and the T-Mobile My E-mail web sites.

ExpandRecommendation
Apply the software updates from Microsoft detailed in the Resolution section.
ExpandReferences

This article is in reference to United States Computer Emergency Response Team (US-CERT) Advisory VU#869641.

CollapseProblem

When using Internet Explorer to view the BlackBerry Internet Service or T-Mobile My E-mail web sites that use the TeamOn Import Object ActiveX control, and when trying to install and run the ActiveX control, the ActiveX control introduces the vulnerability to the system.

The TeamOn Import Object ActiveX control has the following properties:

  • Publisher: Research In Motion
  • File name: TOImport.dll
  • Class identifier: 1D95A7C7-3282-4DB7-9A48-7C39CE152A19
CollapseResolution

The BlackBerry Internet Service and T-Mobile My E-mail web sites have been updated to use the correct ActiveX control.

Install additional fixes to protect ActiveX controls from misuse in Internet Explorer

Microsoft has issued the following Security Bulletins and software updates for critical security vulnerabilities related to ActiveX controls. For further protection against the issue described in this security advisory, review and install all of the Microsoft updates listed below :

Date of issue Link to security bulletin and software updates
October 13, 2009

MS09-060: Vulnerabilities in Microsoft Active Template Library (ATL) ActiveX Controls for Microsoft Office could allow remote code execution

September 8, 2009

Microsoft Security Bulletin MS09-037 - Critical - Cumulative Security Update for Internet Explorer

CollapseWorkaround

Remove and disable the ActiveX control from Internet Explorer.

To remove the ActiveX control from Internet Explorer, complete the following steps:

  1. In Internet Explorer, select Tools > Internet Options.
  2. Under Temporary Internet Files, click Settings.
  3. Click View Objects.
  4. Right-click TeamOn Import Object, then click Remove.
  5. Click Yes.
  6. Restart Internet Explorer.

To disable the ActiveX control, in the Windows Registry, set a registry entry for the ActiveX control that uses a specific Compatibility Flags DWORD value. This prevents Internet Explorer from calling that ActiveX control, if it exists, unless the Initialize and Script ActiveX controls not marked as safe options are enabled in Internet Explorer. This also prevents Internet Explorer from reinstalling that ActiveX control at the request of another web site.

Warning: The following procedure involves modifying the computer registry. This can cause substantial damage to the Microsoft Windows® operating system. Document and back up the registry entries prior to implementing any changes.

  1. In the Registry Editor, go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer.
  2. Right-click ActiveX Compatibility, then select New > Key.
  3. Type {1D95A7C7-3282-4DB7-9A48-7C39CE152A19} as the key name and press ENTER.

    Note: This is the class identifier of the ActiveX control.

  4. Right-click {1D95A7C7-3282-4DB7-9A48-7C39CE152A19}, then select New > DWORD Value.
  5. Type Compatibility Flags as the new DWORD Value name and press ENTER.
  6. Double-click Compatibility Flags.
  7. In the Value data field, type 00000400 and click OK.
  8. Close the Registry Editor and restart Internet Explorer.

Alternatively, Internet Explorer can be configured to disable ActiveX controls in the Internet Zone (or any zone used by an attacker), which serves to prevent exploitation of this and other ActiveX vulnerabilities. For more information on disabling and removing ActiveX controls, search for article 240797 in the Microsoft Support Knowledge Base.

CollapseAdditional Information

CVSS

CVSS is a vendor agnostic, industry open standard designed to convey the severity of vulnerabilities. CVSS scores may be used to determine the urgency for update deployment within an organization. CVSS scores range from 0.0 (no vulnerability) to 10.0 (critical). RIM uses CVSS in vulnerability assessments to present an immutable characterization of security issues. RIM assigns all security relevant issues a non-zero score.

BlackBerry Security

Visit www.blackberry.com/security for more information on BlackBerry security.

CollapseAcknowledgements

Research In Motion (RIM) would like to acknowledge the Microsoft Corporation for also including the kill bits from this security update in the May 2007 Cumulative Security Update for Internet Explorer. BlackBerry Internet Service subscribers should primarily look for the RIM security update to resolve this issue.

For more information about the May 2007 Cumulative Security Update for Internet Explorer, search for Microsoft Security Bulletin MS07-027: Cumulative Security Update for Internet Explorer in the Microsoft TechNet web site.

CollapseChange Log

09-02-10

Updates to article formatting. No technical content changed.

10-20-09

Article updated to link to the latest ActiveX control fix from Microsoft. For further details, see the Resolution section.

09-16-09

Article updated to link to the latest ActiveX control fix from Microsoft. For further details, see the Resolution section.

07-31-09

Article updated to recommend applying an additional ActiveX control fix from Microsoft for protection against the issue described in this advisory. For further details, see the Resolution section.

Disclaimer

By downloading, accessing or otherwise using the Knowledge Base documents you agree:

   (a) that the terms of use for the documents found at www.blackberry.com/legal/knowledgebase apply to your use or reference to these documents; and

   (b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.


Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.