Secuirty concerns re: MS Active Templates

Report · Feb 08, 2010

Does Captivate 3.0 or 4.0 use Microsoft Active Templates when publishing to Flash SWF files? A recent security scan of our intranet website indicated that a number of tutorials on our site could make our site vulnerable to hacking if a vulnerable public version of the Microsoft Active Template was used. (Refer to the following paragraph for more information.) Do we need to be concerned about content created using Captivate? “WebInspect detected the use of an ActiveX object. This could indicate a vulnerability is present if a vulnerable public version of the Microsoft Active Template was utilized. There are three vulnerabilities in the public versions of the Microsoft Active Template Library (ATL) included with Visual Studio. Applications and components created with these versions of ATL are vulnerable to remote code execution and information disclosure attacks. Visual Studio itself is not vulnerable to these issues. In these three vulnerabilities, ATL processes data incorrectly which can lead to memory corruption, information disclosure, and instantiation of objects without regard to security policy. After Visual Studio is patched, it will no longer create applications and components with these vulnerabilities. However, applications and components compiled using the vulnerable version of ATL need to be rebuilt with the safe version released by Microsoft. Recommendations include applying any relevant service pack or patch as listed in the Fix section, then recompiling and redistributing any software created prior to the update.” Link to Active Template Library Security Update for Developers http://msdn.microsoft.com/en-us/visualc/ee309358.aspx Thanks

Report · Feb 10, 2010

Based on this description of MS Active Templates:

http://en.wikipedia.org/wiki/Active_Template_Library

I can't imagine why they'd be used in Captivate, and I've never heard of them referenced in CP discussions.

So I'd hazard a 'no' response...

Is there any reason you'd ask if they are?

Erik

Report · Feb 11, 2010

Thanks for your reply Erik. My reason for asking is described in my (too long) inquiry. I'm not a technical person, but my understanding of the problem is if Captivate uses MS Active Templates when publishing Flash files (ActiveX objects) there could be a security vulnerability. The solution recommended by the security team in my org. was to re-publish older content using the latest version of Captivate. I believe the assumption is that if Captivate does use the Active Templates, Adobe would have applied the Active Templates security patch provided by Microsoft. It's a moot point now anyway because I just purchased Captivate 4 and can re-publish the old content.

Report · Feb 25, 2010

Hello:

Did you by any chance ever find a satisfactory answer to your post? We are experiencing the same problem you described and I can't seem to find any information on it.

Appreciate any information you can share!

Report · Feb 25, 2010

Sorry Cindy, I haven't received any additional information.

Report · Feb 25, 2010

Thank you for the reply. I've been asked to follow this down, so if I learn anything helpful I will share it with the community. Thanks!

Report · Feb 25, 2010

Hi Cindy

I'm a bit confused. The initial question that started the thread seemed more informational than problem related.

Your mention of: "We are experiencing the same problem you described and I can't seem to find any information on it." seems to infer you believe you are having a problem that needs addressing.

Asie from the single thread posted here it would seem it really isn't much of a concern. I would think if it were, there would be dozens of threads reporting it or asking about it.

If this is something coming at you from a developer, I might think they are being a bit overly cautious.

Cheers... Rick

Helpful and Handy Links

Captivate Wish Form/Bug Reporting Form

Adobe Certified Captivate Training

SorcerStone Blog

Captivate eBooks

Report · Feb 25, 2010

Hi again

FWIW, I believe what is being referenced is in the Microsoft bulletin linked below:

Click here to view

I'd like to point out that the date of the bulletin is July 28, 2009. So it seems odd that suddenly it would become a big deal for someone. Further, if there were any issues that Captivate or the installation of Captivate could or should address, I'm confident that Adobe would have taken every measure to post an update to Captivate as a result.

As this has not happened, I can only assume that they are aware of the issue and it's a moot point as far as Captivate and its output files are concerned.

Cheers... Rick

Helpful and Handy Links

Captivate Wish Form/Bug Reporting Form

Adobe Certified Captivate Training

SorcerStone Blog

Captivate eBooks

Report · Feb 25, 2010

Hi Rick:

It's a problem in that we haven't gotten a concrete answer from Adobe yet as to whether the security vulnerability exists. Like the original post, our problem (if it actually is one) was discovered through a WebInspect audit. To the powers that be at my company an educated guess isn't sufficient. It may be that we need to upgrade to Captivate 4 and that will solve it. Just need to confirm.

Thanks for your response.

Cindy

Report · Feb 25, 2010

Hi Cindy

I've just finished sending an E-Mail message to some of the Adobe folks and asked them to look at this thread.

Hopefully we will know something in the next day or so.

Cheers... Rick

Helpful and Handy Links

Captivate Wish Form/Bug Reporting Form

Adobe Certified Captivate Training

SorcerStone Blog

Captivate eBooks

Report · Feb 26, 2010

Thanks Rick...very kind of you!