SPSS is one of the most widely used statistical analysis packages in the world. It was first released in 1968 and gained considerable traction among social sciences researchers. It grew steadily in popularity, especially among academics, but when IBM bought SPSS in 2009, the company made substantial inroads with business customers looking to add predictive analytics to their capabilities. Bottom line, SPSS users are often dealing with a lot of valuable intellectual property, from proprietary research to big data.
This is what makes the vulnerability FortiGuard researchers uncovered in SPSS of particular note. While the arbitrary code execution vulnerability is difficult to exploit, it has the potential to expose high-value data and important research operations to hackers.
The vulnerability itself affects SPSS Version 22. Although Version 23 was released in March of this year, many customers have not yet upgraded. Upgrade cycles on this type of software tend to be relatively slow due to the cost, complexity, and legacy programming many organizations have in place for their analytics and applications built on SPSS. It also only affects Windows users of the 32-bit version of SPSS. However, because of the high cost, strong reputation, and general use cases for SPSS, organizations are often far less concerned about its security than they are about operating systems, productivity software, etc.
Attackers could potentially exploit the vulnerability, which results from insufficient sanitizing of a parameter in an ActiveX control, by passing malicious code to the system via the ActiveX parameter. According to IBM’s security bulletin on this vulnerability,
“By persuading a victim to visit a specially-crafted Web page with Internet Explorer, a local attacker could exploit this vulnerability to execute arbitrary code on the system or cause the application to crash.”
While the possibility of a system crash would be inconvenient, it’s the ability to execute arbitrary code on a system with access to corporate and/or research data that is especially worrisome. Obviously, the value of data that might be compromised on system used for advanced analytics could be quite high. Because the entire system could theoretically be compromised, attackers could set up remote access to data stores beyond the local machine and exfiltrate data at will.
IBM recommends applying SPSS Statistics 22.0 Fix Pack 1 and then the Interim Fix for the SPSS Statistics Windows 32 bit installation recently released to address this problem. While network security measures can’t specifically address this vulnerability, appropriate edge and internal protections may be able to detect resulting exfiltration and/or contact with unauthorized external addresses.