1. /
  2. Security Response/
  3. NCTsoft NCTAudioFile2 ActiveX Control Remote Buffer Overflow Vulnerability

NCTsoft NCTAudioFile2 ActiveX Control Remote Buffer Overflow Vulnerability

Risk

High

Date Discovered

January 24, 2007

Description

NCTsoft NCTAudioFile2 ActiveX control is prone to a buffer-overflow vulnerability. The software fails to perform sufficient bounds-checking of user-supplied input before copying it to an insufficiently sized memory buffer. NCTAudioEditor is a collection of ActiveX controls for manipulating audio data. Numerous audio software products use the vulnerable 'NCTAudioFile2.AudioFile' ActiveX component. NCTAudioStudio 2.7.1, NCTAudioEditor 2.7.1, and NCTDialogicVoice 2.7.1 are affected by this vulnerability; other versions may be affected as well. NOTE: Please see the vulnerable systems section for third-party products that are affected because they depend on this ActiveX control.

Technologies Affected

  • A-one Software DVD Creator 5.72
  • A-one Software Video Joiner 4.75
  • A-one Software Video To Audio 4.42
  • ALO Software ALO Audio Editor 3.2
  • ALO Software ALO RM to MP3 Converter 7.0
  • AMW Gold Wave Editor 9.9
  • Absolute Software Absolute MP3 Splitter 2
  • Absolute Software Absolute Sound Recorder 3
  • Absolute Software Absolute Video to Audio Converter 2
  • Absolute Software MP3 Splitter 2.5.4
  • Absolute Software Sound Recorder 3.4.5
  • Absolute Software Video to Audio Converter 2.7.9
  • Akram Software Akram Audio Converter 5
  • Akram Software Akram Audio Editor 2
  • Akram Software Akram Media Creator 1
  • Altdo Software Altdo Convert Mp3 Master 1
  • Altdo Software Convert Mp3 Master 1.1
  • Altdo Software Mp3 Record&Edit Audio Maste 1.2
  • Altdo Software Mp3 Record&Edit Audio Master 1
  • American Shareware Technologies MP3 WAV Converter 3
  • Arial Audio Converter 2.3.40
  • Arial Sound Recorder 1.4.3
  • Audio Tools Factory Vista MP3 Recorder 1.00
  • AudioEditMagic Audio Edit Magic 9.2.3
  • AudioEditMagic Audio Edit Magic 9.2.3 389
  • Audiotool.net Ease MP3 Recorder 1
  • Aurora Software Aurora Media Workshop 3
  • Aurora Software Aurora Media Workshop 3.3.25
  • Cheeta Technologies CD Burner 3
  • Cheeta Technologies CD Burner 3.56
  • Cheeta Technologies DVD Burner 1
  • Cheeta Technologies DVD Burner 1.79
  • Code-it Software RockN Audio 4
  • Code-it Software Wave MP3 Editor 10
  • Code-it Software aBasic Editor 10
  • Code-it Software aBasic Editor 10.1
  • Color7 Technology Music Fan's Factory 9.2.23
  • Color7 Technology Power Music Editor 7.4.0.10
  • ColorfulSoft Colorful Audio Recorder 2.0
  • ColorfulSoft Colorful Music Editor 2.0
  • Cool Audio Software Magic Audio Editor Pro 10
  • Cool Audio Software Magic Music Studio Pro 7
  • DanDans Digital Media Easy Audio Editor 7
  • DanDans Digital Media Full Audio Converter 4
  • DanDans Digital Media Music Editing Master 5
  • DanDans Digital Media Visual Video Converter 4
  • Digital Borneo DB Audio Mixer and Editor 1
  • Digital Borneo DB Audio Mixer and Editor 1.1.0
  • Digital Smart Audio Convert Master 7.4.0.10
  • Digital Smart Digital Audio CD Burner 7.4.0.10
  • Digital Smart Digital Audio Editor 7.4.0.10
  • Digital Smart Digital Music Digital Edit Burn Studio 8.0.4.1
  • Digital Smart Digital Music Record Convert Burn Station 7.4.3.15
  • EXPStudio Audio Editor 4
  • Easy Ringtone Maker Easy Ringtone Maker 2
  • Focus Systems Focus All CD/DVD Burner 2.1.0.1
  • Focus Systems Focus Audio Converter 3.2
  • Focus Systems Focus MP3 Recorder Pro 3.4
  • Focus Systems Focus MP3 Recorder Splitter 3.4
  • H+H Software Virtual CD 6
  • H+H Software Virtual CD 7
  • H+H Software Virtual CD 8
  • H+H Software Virtual CD File Server 7
  • HiFi Software CD To MP3 RM Ripper 1.70
  • HiFi Software HiFi MP3 Recorder Joiner 2.00
  • HiFi Software HiFi OGG Splitter Joiner 3.00
  • HiFi Software HiFi WAV Splitter Joiner 3.00
  • HiFi Software HiFi WMA Recorder Joiner 2.00
  • HiFi Software HiFi WMA Splitter Joiner 3.00
  • HiFi Software MP3 Audio Recorder Joiner 2.11
  • HiFi Software MP3 Audio Splitter Joiner 3.00
  • HiFi Software MP3 WMA Cutter 2.00
  • HiFi Software RM Audio Converter 2.70
  • HiFi Software RM MP3 Converter 2.70
  • HiFi Software RM OGG Converter 2.70
  • HiFi Software RM WAV Converter 2.70
  • HiFi Software RM WMA Converter 2.70
  • Hit-Recorder Hit-Recorder 1.7.0 0
  • Hit-Recorder Hit-Recorder 2.2.3 7
  • J. Hepple FX Audio Editor 4
  • J. Hepple FX Audio Tools 7
  • J. Hepple FX ConCat Audio Joiner 1
  • J. Hepple FX Joiner and Splitter 6
  • J. Hepple FX Magic Music 5
  • J. Hepple FX Movie Joiner 6
  • J. Hepple FX Movie Splitter 6
  • J. Hepple FX New Sound 5
  • J. Hepple FX Video Converter 7
  • Joshua Mediasoft Audio Converter Plus 2.2
  • Joshua Mediasoft Video Converter Plus 3.01
  • MP3-Soft MP3 Normalizer 1.03
  • Magic Software Magic Rm AVI Mpeg to MP3 Converter & Editor 2
  • Magic Video Software Magic Audio Converter 8
  • Magic Video Software Magic Audio Recorder 5
  • Magic Video Software Magic Music Editor 5
  • McFunSoft Audio Editor 6
  • McFunSoft Audio Recorder for Free 6
  • McFunSoft Audio Studio 6
  • McFunSoft Recording to iPod Solution 5
  • McFunSoft iPod Audio Studio 6
  • McFunSoft iPod Music Converter 5
  • MightSOFT Audio Editor Pro 2
  • MightSOFT EZ Audio Server 2
  • Movavi ChiliBurner 2
  • Movavi ConvertMovie 3
  • Movavi ConvertMovie 4
  • Movavi DVD to iPod 1
  • Movavi Splitmovie 1
  • Movavi VideoMessage 1
  • Movavi VideoSuite 3
  • Musiclab BearShare 6.0.2.26789
  • Mystik Media AudioEdit Deluxe 3
  • Mystik Media AudioEdit Deluxe 4
  • Mystik Media AudioEdit Deluxe 4.10
  • Mystik Media Blaze Media Convert 3
  • Mystik Media Blaze Media Convert 3.4
  • Mystik Media Blaze Media Pro 6
  • Mystik Media Blaze Media Pro 7
  • Mystik Media Context Convert Pro 3
  • Mystik Media ContextConvert Pro 3.1
  • NCTsoft NCTAudioEditor ActiveX DLL 2
  • NCTsoft NCTAudioStudio ActiveX DLL 2
  • NCTsoft NCTDialogicVoice ActiveX DLL 2
  • NextLevel Software Audio Editor Gold 0.2.5 Build 424
  • NextLevel Software Audio Editor Gold 9
  • NextLevel Software Audio Studio Gold 7
  • Oracle Siebel SimBuilder 7.8.5 build 2635
  • Plato Software DVD Creator 3.7
  • Plato Software Video Joiner 4.57
  • Quikscribe Player 5
  • Quikscribe Recorder 5
  • RMBSoft Audio Converter 3
  • RMBSoft AudioConvert 3.1.0.125
  • Recordnrip RecordNRip 1
  • Roemer Software Easy Hi-Q Converter 1.7
  • Roemer Software Easy Hi-Q Recorder 2.0
  • Roemer Software Free Hi-Q Recorder 1.9
  • Sienzo Digital Music Mentor 2
  • SmartMedia Systems Power Audio Editor 11
  • SoftDiv Dexster Audio Editor 3
  • SoftDiv MP3 to WAV Converter 3
  • SoftDiv Snosh 1
  • SoftDiv VIDEOzilla 2
  • SoftDiv iVideoMAX 3
  • Stefan Bethge CDBurnerXP Pro 3.0.116
  • Stefan Haglund, Fredrik Haglund, Florian Schmitz CDBurner XP Pro 2
  • Stefan Haglund, Fredrik Haglund, Florian Schmitz CDBurner XP Pro 3
  • TEC Software TEC Sound Recorder 1.0
  • Xrlly Software Arial Audio Converter 2
  • Xrlly Software Arial Sound Recorder 1
  • Xrlly Software Text to Speech Maker 1
  • goodvdsoft.com Easy DVD Converter 1.00
  • goodvdsoft.com Goo DVD To Audio Converter 1.00
  • goodvdsoft.com Goo DVD To MP3 Converter 1.00
  • goodvdsoft.com Goo DVD To MPEG Converter 1.00
  • goodvdsoft.com Goo DVD To OGG Converter 1.00
  • goodvdsoft.com Goo DVD To RM Converter 1.00
  • goodvdsoft.com Goo DVD To Video Converter 1.00
  • goodvdsoft.com Goo DVD To WAV Converter 1.00
  • goodvdsoft.com Goo DVD To WMA Converter 1.00
  • goodvdsoft.com Goo DVD To WMV Converter 1.00
  • iMesh iMesh 7

Recommendations

Set web browser security to disable the execution of script code or active content.

Disabling support for client-side scripting and active content may limit exposure to this issue. This is especially prudent for untrusted sites in the Internet Zone.

Do not use client software to access unknown or untrusted hosts from critical systems.

To reduce the likelihood of successful exploits, never visit sites of questionable integrity or follow links provided by unfamiliar or untrusted sources.

Do not accept communications that originate from unknown or untrusted sources.

Do not open or view email from unknown or untrusted sources. Configuring email clients to view messages as plain text will also mitigate this issue.

Implement multiple redundant layers of security.

Various memory-protection schemes (such as nonexecutable and randomly mapped memory segments) may hinder an attacker's ability to exploit this vulnerability to execute arbitrary code.

Run all software as a nonprivileged user with minimal access rights.

Perform all nonadministrative tasks, such as browsing the web, as an unprivileged user with minimal access rights.
Currently we are not aware of any vendor-supplied patches If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com.

Credits

Secunia Research and Will Dormann of CERT/CC are credited with the discovery of this vulnerability.
Copyright © Symantec Corporation.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from secure@symantec.com.

Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Symantec, Symantec products, Symantec Security Response, and secure@symantec.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.

Threat Intelligence

Subscribe
Follow the Threat Intelligence Twitter feed
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver