Multiple Vulnerabilities for SigPlus Pro ActiveX Control < 4.29

Introduction

Multiple high Vulnerabilities have been identified with the SigPlus Pro ActiveX Control < 4.29.

The Windows host has an ActiveX control that is affected by multiple vulnerabilities.

The SigPlus Pro ActiveX control, used for electronic signature integration with Topaz signature pads
and installed on the remote Windows host, is earlier than 4.29. Such versions reportedly are affected
by the following vulnerabilities:

- The 'SetLogFilePath()' method allows creation of a log file in a specified location, potentially
   with content controlled by an attacker through, for example, the 'SigMessage()' method.
   (CVE-2011-0323)
- Boundary errors when processing the 'KeyString' property and when handling the                                 'SetLocalIniFilePath()' and 'SetTablePortPath()' methods can be exploited to cause a                           
   heap-based buffer overflow. (CVE-2011-0324)

Solution

Upgrade to SigPlus Pro ActiveX version 4.29 or later as that reportedly addresses the issues.

AMAG Response

SigPlus Pro issue - we supply v3.74 on our v8.1 installation disk but the latest on Topaz site is v4.4
which is required to be in compliance.

https://www.topazsystems.com/pluginsappsindex.html

So to remain in compliance you can look at downloading the latest version from the Topaz site and then
install this at your site, the other thing you can do is remove the SigPlus Pro software if they are not
using.