SAS For Windows Buffer Overflow Leads To Code ExecutionSAS For Windows Buffer Overflow Leads To Code Execution
Vulnerabilities were discovered in a routine security crash
March 1, 2014

PRESS RELEASE
VIENNA, February 27, 2014 /PRNewswire/ --
"SAS for Windows" is part of a software for statistical analysis, data-mining and business intelligence. The software was shipped by the manufacturer SAS Institute Inc. containing a critical vulnerability [1]. The vulnerabilities were discovered in a routine security crash test by experts of the SEC Consult Vulnerability Lab ( http://www.sec-consult.com).
The vulnerability enables state-sponsored or criminal hackers to create a malicious SAS-file, which gives an attacker full control over the attacked computer if the file gets processed with "SAS for Windows". An attacker can send phishing mails containing such a manipulated SAS-file to subsequently attack the internal corporate network via a compromised client computer.
The experts of the SEC Consult Vulnerability Lab were able to successfully exploit the vulnerability during a crash test, bypass current mitigation techniques on a standard Windows 7 installation (including firewall and anti-virus software) and control the attacked computer remotely over the Internet.
SEC Consult experts recommend immediately installing the update, released by the vendor to counter these vulnerabilities [2]. SEC Consult advises that customers of SAS products should demand from the vendor exhaustive security tests by
(European) security experts before the implementation of the respective software product.
[1] https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
[2]
SAS 9.4 TS 1M0 - http://ftp.sas.com/techsup/download/hotfix/HF2/L08.html#L08004
SAS 9.3 TS 1M2 - http://ftp.sas.com/techsup/download/hotfix/HF2/I22.html#I22069
SAS 9.2 TS 2M3 - http://ftp.sas.com/techsup/download/hotfix/HF2/B25.html#B25260
You May Also Like
Securing the Remote Workforce
Feb 20, 2025Emerging Technologies and Their Impact on CISO Strategies
Feb 25, 2025How CISOs Navigate the Regulatory and Compliance Maze
Feb 26, 2025Where Does Outsourcing Make Sense for Your Organization?
Feb 27, 2025Shift Left: Integrating Security into the Software Development Lifecycle
Mar 5, 2025