US-CERT warns of SAP vulnerability

A "highly critical," unspecified hole in the graphical user interface client for the German company's ERP software can cause IE to crash in an exploitable manner, advisories warn.

The U.S. Computer Emergency Readiness Team has warned of a vulnerability in SAP GUI, the graphical user interface client in the German company's enterprise resource-planning software.

The unspecified flaw can cause Microsoft's Internet Explorer browser to crash in an exploitable manner. The flaw lies in an ActiveX control called MDrmSap, a component of SAP GUI.

US-CERT warned in an advisory, updated on Monday, that if users are fooled into viewing a specially crafted HTML document, external attackers might be able to gain control of their system, with their privileges.

A patch is available from SAP, through SAP Note 1142431. Log-in is required to access the patch.

Work-arounds include disabling the MDrmSap ActiveX control in IE by setting the browser's killbit for CLSID (B01952B0-AF66-11D1-B10D-0060086F6D97), or IT professionals could disable IE ActiveX controls completely.

Security company Secunia warned in an advisory that the flaw was "highly critical." Versions of SAP GUI affected are 6.x and 7.x, according to Secunia.

Tom Espiner of ZDNet UK reported from London.


Join the discussion

Conversation powered by Livefyre

Show Comments Hide Comments
Latest Galleries from CNET
Bento boxes and gear for hungry geeks (pictures)
The best tech products of 2014
Does this Wi-Fi-enabled doorbell Ring true? (pictures)
Seven tips for securing your Facebook account
The best 3D-printing projects of 2014 (pictures)
15 crazy old phones from a Korean museum (pictures)