STE WILLIAMS

VIENNA, February 27, 2014 /PRNewswire/ —

“SAS for Windows” is part of a software for statistical analysis, data-mining and business intelligence. The software was shipped by the manufacturer SAS Institute Inc. containing a critical vulnerability [1]. The vulnerabilities were discovered in a routine security crash test by experts of the SEC Consult Vulnerability Lab ( http://www.sec-consult.com).

The vulnerability enables state-sponsored or criminal hackers to create a malicious SAS-file, which gives an attacker full control over the attacked computer if the file gets processed with “SAS for Windows”. An attacker can send phishing mails containing such a manipulated SAS-file to subsequently attack the internal corporate network via a compromised client computer.

The experts of the SEC Consult Vulnerability Lab were able to successfully exploit the vulnerability during a crash test, bypass current mitigation techniques on a standard Windows 7 installation (including firewall and anti-virus software) and control the attacked computer remotely over the Internet.

SEC Consult experts recommend immediately installing the update, released by the vendor to counter these vulnerabilities [2]. SEC Consult advises that customers of SAS products should demand from the vendor exhaustive security tests by

(European) security experts before the implementation of the respective software product.

[1] https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

[2]

SAS 9.4 TS 1M0 – http://ftp.sas.com/techsup/download/hotfix/HF2/L08.html#L08004

SAS 9.3 TS 1M2 – http://ftp.sas.com/techsup/download/hotfix/HF2/I22.html#I22069

SAS 9.2 TS 2M3 – http://ftp.sas.com/techsup/download/hotfix/HF2/B25.html#B25260

Article source: http://www.darkreading.com/vulnerability/sas-for-windows-buffer-overflow-leads-to/240166373