Multiple vulnerabilities have been identified in Microsoft Whale Communications Intelligent Application Gateway (IAG) 2007, which could be exploited by remote attackers to comrpromise an affected system. These issues are caused by buffer overflow errors in the "WhlMgr.dll" ActiveX control when processing a specially crafted arguments passed to the "CheckForUpdates()" or "UpdateComponents()" method, which could be exploited to execute arbitrary code by tricking a user into visiting a malicious web page.

Affected Products

Microsoft Whale Communications Intelligent Application Gateway (IAG) 2007 versions prior to 3.7

Solution

Upgrade to Microsoft Whale Communications Intelligent Application Gateway (IAG) 2007 version 3.7 SP2 :
http://technet.microsoft.com/en-us/library/dd282918.aspx

References

http://www.vupen.com/english/advisories/2009/1061
http://www.kb.cert.org/vuls/id/789121

In-depth Binary Analysis

Available in customer area as part of VUPEN Binary Analysis & Exploits Service and VUPEN Vulnerability Notification Service Ultimate Feed Edition.
 

Private Exploit or PoC

Available in customer area as part of VUPEN Binary Analysis & Exploits Service and VUPEN Vulnerability Notification Service Ultimate Feed Edition.
 

Credits

Vulnerabilities reported by Will Dormann (CERT/CC).

Changelog

2009-04-16 : Initial release

Feedback

If you have additional information or corrections for this security advisory please submit them via our contact form.