In a security bulletin, IBM said that an attacker could compromise the Blueberry FlashBack ActiveX control used in Rational Rhapsody for Windows V7.6 and earlier versions to execute arbitrary code remotely by instantiating the control from the Internet Explorer (IE) browser.
Big Blue explained that for a remote attacker to exploit the vulnerabilities, the following must be accomplished: the user must have Rational Rhapsody installed on the machine; the attacker needs to create malicious code that would exploit the ActiveX control; the user must be persuaded to execute the attachment or follow a web site link that contains the malicious code via the IE browser; and, on Internet Zone, the user must authorize the ActiveX pop-up dialog before it could be used.
The company stressed that the user does not have to use Rational Rhapsody continuously for the vulnerabilities to be exploited. The flaw in ActiveX control can be exploited regardless of use of the product.
IBM said that as of late December it had not received any reports of customer issues related to these security vulnerabilities, which were discovered by Andrea Micalizzi and reported to IBM by the TippingPoint Zero Day Initiative.