SAS For Windows Buffer Overflow Leads To Code Execution
VIENNA, February 27, 2014 /PRNewswire/ —
“SAS for Windows” is part of a software for statistical analysis, data-mining and business intelligence. The software was shipped by the manufacturer SAS Institute Inc. containing a critical vulnerability . The vulnerabilities were discovered in a routine security crash test by experts of the SEC Consult Vulnerability Lab ( http://www.sec-consult.com).
The vulnerability enables state-sponsored or criminal hackers to create a malicious SAS-file, which gives an attacker full control over the attacked computer if the file gets processed with “SAS for Windows”. An attacker can send phishing mails containing such a manipulated SAS-file to subsequently attack the internal corporate network via a compromised client computer.
The experts of the SEC Consult Vulnerability Lab were able to successfully exploit the vulnerability during a crash test, bypass current mitigation techniques on a standard Windows 7 installation (including firewall and anti-virus software) and control the attacked computer remotely over the Internet.
SEC Consult experts recommend immediately installing the update, released by the vendor to counter these vulnerabilities . SEC Consult advises that customers of SAS products should demand from the vendor exhaustive security tests by
(European) security experts before the implementation of the respective software product.
SAS 9.4 TS 1M0 – http://ftp.sas.com/techsup/download/hotfix/HF2/L08.html#L08004
SAS 9.3 TS 1M2 – http://ftp.sas.com/techsup/download/hotfix/HF2/I22.html#I22069
SAS 9.2 TS 2M3 – http://ftp.sas.com/techsup/download/hotfix/HF2/B25.html#B25260