US-CERT warns of SAP vulnerability

A "highly critical," unspecified hole in the graphical user interface client for the German company's ERP software can cause IE to crash in an exploitable manner, advisories warn.

Tom Espiner Special to CNET News

The U.S. Computer Emergency Readiness Team has warned of a vulnerability in SAP GUI, the graphical user interface client in the German company's enterprise resource-planning software.

The unspecified flaw can cause Microsoft's Internet Explorer browser to crash in an exploitable manner. The flaw lies in an ActiveX control called MDrmSap, a component of SAP GUI.

US-CERT warned in an advisory, updated on Monday, that if users are fooled into viewing a specially crafted HTML document, external attackers might be able to gain control of their system, with their privileges.

A patch is available from SAP, through SAP Note 1142431. Log-in is required to access the patch.

Work-arounds include disabling the MDrmSap ActiveX control in IE by setting the browser's killbit for CLSID (B01952B0-AF66-11D1-B10D-0060086F6D97), or IT professionals could disable IE ActiveX controls completely.

Security company Secunia warned in an advisory that the flaw was "highly critical." Versions of SAP GUI affected are 6.x and 7.x, according to Secunia.

Tom Espiner of ZDNet UK reported from London.