Software Engineering Institute

In 2009, Consona acquired SupportSoft's enterprise software assets, including web-based assistance software called Intelligent Assistance Suite (IAS). IAS client components are delivered via ActiveX controls, Netscape-style plugins, or standalone installers. IAS runs on Microsoft Windows platforms. Consona products affected by these vulnerabilities include Consona Live Assistance, Consona Dynamic Agent, Consona Subscriber Assistance, Repair Manager, Consona Subscriber Activiation, and Subscriber Agent.

IAS contains vulnerabilities in different components.

1. Cross-site scripting (XSS) in ns6plugindestructor.asp
2. Unsafe methods provided by SdcUser.TgConCtl ActiveX control (tgctlcm.dll)
3. Buffer overflow in SdcUser.TgConCtl ActiveX control (tgctlcm.dll)
4. Local privilege elevation in Repair Service (tgsrv.exe) (only installed on Windows Vista and Windows 7)

By convincing a user to view a specially crafted HTML document (web page, HTML email message), an attacker could execute arbitrary code with the privileges of the user, and possibly gain SYSTEM privileges via the Repair Service.

Apply patches
Sites providing IAS/Consona support services should apply the appropriate patches referenced in the April 2010 Security Bulletin.

Remove n6plugindestructor.asp

To remove the initial cross-site scripting vector, sites providing IAS/Consona support services can remove ns6plugindestructor.asp from the support web site. Removing this file is unlikely to reduce functionality, but may have side effects.

Limit domain access to the SdcUser.TgConCtl ActiveX control

SupportSoft ActiveX controls can only be scripted from sites that contain valid license information. Following the guidance in the April 2010 Security Bulletin, sites providing IAS/Consona support services can augment domain access restrictions by listing allowed domains in the Windows registry and hosting controls using HTTPS to reduce the possibility of DNS spoofing attacks.

Disable the SdcUser.TgConCtl ActiveX control in Internet Explorer

Web clients of IAS/Consona support services can disable the vulnerable ActiveX control in Internet Explorer by setting the kill bit for the following CLSID:

{01113300-3E00-11D2-8470-0060089874ED}

More information about how to set the kill bit is available in Microsoft Support Document 240797. Alternatively, the following text can be saved as a .reg file and imported into the Windows registry:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{01113300-3E00-11D2-8470-0060089874ED}]
"Compatibility Flags"=dword:00000400
Disabling this control will likely reduce functionality.