My company distributes a reminder-tracking VB6 program to clients that sends out email reminders about deadlines and tracks user replies. Recently, we were approached by a prospective client who is concerned about VB6 vulnerabilities. He sent us a link to the CVE website and we identified two vulnerabilities that affect ActiveX controls used by our software - CVE-2012-1856 and CVE-2012-0158. We are very keen on ensuring that we are not exposing our clients to possible exploits.
I found a forum post on a VB6 forum from 2015 in which a user claimed the following in relation to one of these vulnerabilities: (link: http://www.vbforums.com/showthread.php?794875-VB6-Vulnerability)
This isn't an issue for VB6 programs.
The problem described is only exposed when you load a page in IE from a malicious site and you have relaxed IE security settings enough to allow ActiveX controls embedded in the page to run, or use an email client supporting embedded ActiveX controls to open a malicious HTML-formatted email with similar lax security settings. The only other possibility is downloading and running programs you shouldn't trust.
And for that matter the entire thing is 3 years old and has long been patched on supported versions of Windows:
Microsoft Security Bulletin MS12-027 - Critical Microsoft Security Bulletin MS12-060 - Critical
It sounds to me like the Canadian Cyber Kids are just looking for some press.
(link to MS12-027: https://technet.microsoft.com/en-us/library/security/ms12-027.aspx)
(link to MS12-060: https://technet.microsoft.com/en-us/library/security/MS12-060)
The Microsoft Security Bulletins linked in the post seem to back up his claim that this is primarily a web-based issue. However, I still have several questions on the topic and have had difficulty finding answers online:
- Our VB6 program has no interaction with IE or any other Microsoft program. It receives a lot of emails from a fixed list of user email addresses, but it is mostly monitoring the act of replying and a short code that it uses to identify the expected reply. No attachments or long strings are processed, just that short code. The program does not have the ability to open or process .doc, .rtf or any other similar file types. All data is written to or read from a local database. Is there any danger of these VB6 vulnerabilities affecting our program?
- If we were to install our program on a client site and it installs and registers an old version of MSCOMCTL.OCX in the windows system files folder (overwriting a newer version) – could this open up all of our client’s Microsoft applications to the vulnerability? If they have a bunch of Microsoft programs installed that are affected by this vulnerability and they are now pointing to a vulnerable version of MSCOMCTL.OCX, it seems to me like this would make them vulnerable to exploits. Is this assumption correct?
- The patches available for download on the Microsoft Security Bulletin webpages are meant to be installed on a per-program basis for all Microsoft programs affected by the vulnerability. If I would like to update my copy of Visual Basic 6.0 to patch the vulnerability in our VB6 application, is that sufficient or do I need to install the update for all affected Microsoft programs? Aren’t they all just pointing to the same MSCOMCTL.OCX file? Why are multiple updates even needed? Is it simply to update the references to the OCX file in the Windows registry for every MS program?
- Another user posted on the forum mentioned above with the following:
The worst part is that Microsoft stumbled and bumbled, releasing several (five or six?) attempts at the "security rollup" package. Many versions contained "off by one" programming bugs that broke several of the controls included. Don't stumble off and download one of them... you might get unlucky. They can't be uninstalled, so you can break VB6 on your machine.
This makes me very wary of installing the proposed updates (referred to in MS12-027 and MS12-060) – are this user’s concerns are valid? Are there any issues with the patches proposed in the Security Bulletins?
