Advisory Details - Date: June 27th, 2006 - Title: GraceNote CDDBControl ActiveX Buffer Overflow Vulnerability - ZDI: ZDI-06-019, ZDI-CAN-040 - CVE ID: CVE-2006-3134 Affected Vendors - GraceNote Affected Products - ActiveX CDDB Control Vulnerability Details - This vulnerability allows remote attackers to execute arbitrary code on systems with certain versions of GraceNote CDDBControl ActiveX installed. - There is a buffer overflow in an ActiveX object used by several products for CD information lookup. - The ActiveX object is commonly registered as safe and can be accessed from a malicious web site. - An attacker can gain control of the process and execute arbitrary code. Additional Details - Recently, a security vulnerability was found in a limited number of products. - Gracenote took immediate action and developed a software patch for affected customers. - Customers will be alerted through normal channels to update their applications. Disclosure Timeline - 2006-04-17 – Vulnerability reported to vendor. - 2006-06-27 – Coordinated public release of advisory. Credit - Peter Vreugdenhil