SECurity Message Service: Security Vulnerability - "SAS for Windows" Buffer Overflow Leads to Code Execution
VIENNA, February 27, 2014 /PRNewswire/ --
"SAS for Windows" is part of a software for statistical analysis, data-mining and
business intelligence. The software was shipped by the manufacturer SAS Institute Inc.
containing a critical vulnerability [1]. The vulnerabilities were discovered in a routine
security crash test by experts of the SEC Consult Vulnerability Lab ( http://www.sec-consult.com).
The vulnerability enables state-sponsored or criminal hackers to create a malicious
SAS-file, which gives an attacker full control over the attacked computer if the file gets
processed with "SAS for Windows". An attacker can send phishing mails containing such a
manipulated SAS-file to subsequently attack the internal corporate network via a
compromised client computer.
The experts of the SEC Consult Vulnerability Lab were able to successfully exploit the
vulnerability during a crash test, bypass current mitigation techniques on a standard
Windows 7 installation (including firewall and anti-virus software) and control the
attacked computer remotely over the Internet.
SEC Consult experts recommend immediately installing the update, released by the
vendor to counter these vulnerabilities [2]. SEC Consult advises that customers of SAS
products should demand from the vendor exhaustive security tests by (European) security
experts before the implementation of the respective software product.
For further information please contact:
Johannes Greil, MSc
Head of SEC Consult Vulnerability Lab
Tel.: +43-1-890-30-43-0
mailto: research@sec-consult.com