X
127 Rate this article:
No rating

[Internal] Vulnerability issues with NCSEcw.dll

Anonym

Vulnerability issues with NCSEcw.dll

 

Some users might be notified about the following vulnerability issue related to the NCSEcw.dll found in the IDL installation directory:

 

ENVI supports the ECW (Enhanced Compressed Wavelet) file format in Windows 32-bit systems. We implemented this functionality using a third-party library, by shipping and installing a file named NCSECW.dll. There is a known security issue with this DLL, arising from the fact that the DLL is registered as a COM server which can be started via an HTML page as an ActiveX control. Once started the function "WriteJPG" can be called and that can result in a buffer overrun.

ENVI does not register this DLL as a COM object. Unless you manually log-in as Administrator and register it yourself, it will not behave as an ActiveX control. The way we use this DLL (calling its functions but not registering its COM/ActiveX interfaces), does NOT pose a security risk. This means ENVI users are not exposed to this vulnerability.

The attached PDF file contains all the pertinent official information from the third-party that created the DLL.

How can I tell if I'm at risk?

Open the Windows Registry and search for the string D63891F1-E026-11D3-A6C3-005004055C6C. This is the unique identifier the registers the NCSEcw.dll file as an ActiveX Control. If you do not have this entry, even if the DLL file is on your computer, you're not exposed.

Note for Tech Support

An extra-suspicious customer might insist that this DLL be removed from his/her computer. It is OK to go ahead and delete the file NCSECW.dll from the following two locations:

  • C:\Program Files\Exelis\IDL85\bin\bin.x86
  • C:\Program Files\Exelis\IDL85\bin\bin.x86_64

ENVI and IDL will run normally, the only issue will be that if you try to open an ECW file in Windows 32-bit mode, the following error message will appear:

This applies to both ENVI and ENVI Classic. Even though the NCSECW.dll can be used to read JPEG2000 files as well, we do not use it for that purpose, so removing these files will not affect ENVI´s JP2K functionality.

 

See JIRA: