SupportSoft Tech Support Tools Leave PCs Vulnerable to Remote Attack

The United States Emergency Readiness Team (US-CERT) has issued an advisory regarding remote tech support tools made by SupportSoft.

The affected software uses ActiveX controls contain multiple buffer overflow vulnerabilities which could allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

The SupportSoft ActiveX controls are essentially small applications that can be run from Microsoft's Internet Explorer. The affected software is often used by Internet service providers, PC makers and other companies to provide support functions such as remote assistance.

SupportSoft is aware of a remote code execution vulnerability that exists in SmartIssue, RemoteAssist, and Probe controls on both the 5.6 Versions and Version 6.x versions of its software. This vulnerability has already been addressed in the latest versions of all SupportSoft software and patches have been delivered and installed by all SupportSoft corporate customers. Users can download the SupportSoft ActiveX Controls Update from the SupportSoft web site.

SupportSoft offers a step-by-step guide to fix the problem, beginning with searching a PC's hard drive for the vulnerable file (tgctlsi.dll) and applying a fix. The US-CERT recommends the SupportSoft fix, but has found eight additional files are vulnerable: tgctlins.dll; sdcnetcheck.dll; tgctlar.dll; tgctlch.dll; tgctlpr.dll; tgctlcm.dll; tglib.dll; and tgctlidx.dll. They also recommend searching a PC for files to determine if a system is vulnerable.

Note that since the vulnerable controls are commonly included with third-party software that is not explicitly packaged as "SupportSoft," searching for the above files is the most effective way to determine if a system is vulnerable.

US-CERT lists 37 companies and organizations that have shipped the affected software. Some have addressed the problem, while others are still listed as vulnerable or unknown. Some of the companies including IBM, BellSouth, Comcast and Time Warner have yet to fix the vulnerability.

Symantec includes the SupportSoft components in its consumer security products. Symantec has issued its own alert along with the fixes. The software affected by the flaws include:

• Symantec Automated Support Assistant
   
• Symantec Norton AntiVirus 2006
   
• Symantec Norton Internet Security 2006
   
• Symantec Norton System Works 2006

Symantec's corporate security products are not affected. The problem is listed as "high" risk, but is mitigated somewhat, because triggering the flaw would require some action on the part of the user.

The security company worked with SupportSoft on updates and has made those available via the LiveUpdate feature in its products, it said. Additionally, in November 2006, the flawed versions of the ActiveX controls were disabled through LiveUpdate, Symantec said.

Visit Bill's Links and More for more great tips, just like this one!