The other day I read about the security problem in the SAP GUI. I got it from one of the Danish computer sites (version2.dk), which had picked up the story at US CERT. I do not follow SAP patched for security updates, since it is not my area of expertise (anymore). I therefore hope that somebody informs me if I have to do something and I should patch my pc.
The vulnerability would allow a malicious website site so execute arbitrary code on the user’s computer. If I read the description correct, it means that an employee with SAP GUI installed will be affected. The vulnerability is found in Note 1142431.
There are two problems with this:
- There are few people how upgrade their SAP GUIs because it requires a lot of testing to verify that all functions continue works.
- There are a lot of users in all sizes of companies
There are two fixes either disable the bad ActiveX component or deploy a GUI patch. The disablement is probably not a large problem, since this can be done via Active Directory. Installation of the new GUI can give problems, because of all the testing required. And the business case seems rather bad, if not looked upon with a security ROI model.
So what can the problem be for an organization? If I as an attacker wanted to gain network access to a organizations, which ran SAP, then I would send a mail to some employees with a link to a site, where I had deployed some code used this exploit. I would therefore be able to install any program on the victim’s computers. The program could pick up and send sensitive information to me, or just remote control the computer to make attacks on other parts of the organization.
When searching US-CERT website for security problems for SAP there are only 4 security vulnerabilities since 2007. I don’t know if there are other sites to search for more information. I believe it is impressive that there have only been found problem with such a complex product. IT must mean that the architecture has been correct or nobody is doing security testing.
With only 4 SAP security errors the IT organization does not get the same experience in rolling out patches to users as a Windows organization where this is done automatically. The other vulerbilites looked like they were problems on the SAP Server. I therefore believe that it will take long time before everybody has blocked the vulnerability.