SAP users warned of GUI security flaw

SAP users are being warned of a security vulnerability in their SAP graphical user interface (GUI).

The US Computer Emergency Readiness Team (Cert) says the SAPgui's MDrmSap ActiveX control code is vulnerable to remote hackers.

The MDrmSap ActiveX control is provided with the SAPgui software, and Cert says it contains a vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

The MDrmSap ActiveX control "contains an unspecified flaw that causes Internet Explorer to crash in an exploitable manner when it attempts to instantiate the control", says Cert.

By convincing a user to view a specially crafted HTML document (a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with the privileges of the user, Cert said.

The attacker could also cause Internet Explorer (or the program using the browser) to crash.

Cert said the flaw could be tackled by a patch issued by SAP.


COMMENTS powered by Disqus  //  Commenting policy