SAP users are being warned of a security vulnerability in their
SAP graphical user interface (GUI).
The US
Computer Emergency Readiness Team (Cert) says the SAPgui's MDrmSap
ActiveX control code is vulnerable to remote hackers.
The MDrmSap ActiveX control is provided with the SAPgui
software, and Cert says it contains a vulnerability that can allow
a remote, unauthenticated attacker to execute arbitrary code on a
vulnerable system.
The MDrmSap ActiveX control "contains an unspecified flaw that
causes Internet Explorer to crash in an exploitable manner when it
attempts to instantiate the control", says Cert.
By convincing a user to view a specially crafted HTML document
(a web page or an HTML email message or attachment), an attacker
may be able to execute arbitrary code with the privileges of the
user, Cert said.
The attacker could also cause Internet Explorer (or the program
using the browser) to crash.
Cert said the flaw could be tackled by a patch issued by
SAP.