A vulnerability has been found in an ActiveX object distributed as part of TDC' Microsoft CSP suite. The suite consists of Cryptomathic PrimeInk CSP and some ActiveX objects. The primary task of the CSP is to handle private RSA keys that are encrypted by keys derived from the user provided passwords. The ActiveX objects assist in key management operations like certificate request generation, installation of issued certificate, key and certificate backup/recovery and change of password. The PrimeInk CSP product and the ActiveX utility objects are developed by Cryptomathic, for TDC Digital Certificates adhering to the Danish OCES certificate policy. While Cryptomathic PrimeInk CSP is used by many institutions around the world, the ActiveX objects have only been distributed as part of TDC's Microsoft CSP suite in Denmark. The vulnerability allows code execution on any client machine that has the component installed if the user navigates to an attacker-created website. The attacker creates a website that calls the installed ActiveX component, or it would be possible to make an email with an embedded HTML page thereby triggering an overflow. The full advisory can be read at http://www.cirt.dk/advisories/cirt-43-advisory.pdf CIRT.DK
