BackWeb
 No Spyware  |  Contact
PRODUCTS & SERVICES    |     CUSTOMERS    |     NEWS & EVENTS    |     ABOUT US
NEWS & EVENTS
Press Releases
Analyst Views
Events
Press Releases

Important Security Update

BackWeb has issued an Update to disable a specific BackWeb component, LiteInstactivator of versions earlier than BackWeb 8.1.1.87. The component contained a potential security flaw.

This component is part of the BackWeb Client embedded in the Logitech Desktop Manager (LDM) of versions earlier than 2.56.

A new LDM including a replacement BackWeb LiteInstActivator component is available in the following address - http://www.logitech.com/index.cfm/494/3041.

Microsoft has issued a Cumulative Security Update of ActiveX Killbits to disable this component on customer machines that did not install the new Logitech Desktop Manager. The Security will disable the component without requiring any user interactions.

BackWeb recommends that all customers using the Logitech Desktop Manager install the Security Update to merge these changes onto their systems to close any vulnerability that may be present.

The Security Issue

The vulnerability was found in the LiteInstActivator BackWeb DLL, which is used in the BackWeb Web Package ActiveX object. The BackWeb Web Package ActiveX object contains a buffer overflow vulnerability that can lead to remote code execution. The vulnerability could be exploited by a malicious web page if viewed by a user in their web browser on a PC with the BackWeb plug-in/client installed - if the BackWeb plug-in/ client installation included the Web Package ActiveX object. The malicious web page would need to include JavaScript code specially crafted for the purpose of interacting with the Web Package ActiveX object. At this time there are no known instances of abuse of this security issue, however BackWeb has worked with Microsoft to proactively close this potential security issue as soon as it was discovered.

This vulnerability was originally discovered and reported to BackWeb by Will Dorman at the US-CERT. This is further described at the US-CERT web site (http://www.cert.org). Please reference Vulnerability CERT Notes (Identifier CVE-2008-0956 ) http://www.kb.cert.org/vuls/id/216153

The following control is referenced by the CERT in their advisories.

{40F23EB7-B397-4285-8F3C-AACE4FA40309}

Microsoft and BackWeb have been in cooperation to release this update as soon as possible in order to do right by all our customers.

BackWeb is grateful for the support provided by the US-CERT and Microsoft to propagate this information and these updates to our customers.

#   #   #

 
Ethics  |  Privacy  |  Legal
 

QUICK LINKS