Keyhelp.ocx vulnerability relating to Actian PSQL 12 install

A TAS Premier 7i runtime user relating to a third party vertical market software system (for which we provide support assistance as well as programming) has reported receiving a notice from their security vulnerability analysis software relating to a file installed by Actian/Pervasive version 12 as follows:

Description: The remote host has KeyWorks KeyHelp ActiveX control installed, which is affected by multiple vulnerabilities 

- Multiple stack-based buffer overflows exist that could allow an
attacker to execute arbitrary code. (CVE-2012-2515)

- An unspecified command injection vulnerability. (CVE-2012-2516)


KEYHELP.OCX is a part of the PSQL 12 install and is not harmful.  It is also, however, a non-essential control with respect to the Pervasive engine.

See:

https://supportactian.secure.force.com/help/articles/Technical_Document/Keyhelp-ocx-reported-as-a-security-vulnerability-by-security-analyzer-utilities

https://supportactian.secure.force.com/help/articles/Bug_Document/Actian-Security-Vulnerabilities-NoticePSQL/



Note that Actian recommends the removal of this control (which is only used when running the Pervasive System Analyzer aka PSA tool).   It will not be shipping with future updates to the v12 engine starting with service pack 1,  i.e. 12.10.  

For users with older installations of version 12 (i.e prior to 12.10), the instructions in the second link above is repeated below:


You can prevent the installation of this file by using the 'Custom' Setup Type option, and changing the installation option for the optional utility to 'This feature will not be available' during the installation.  Alternatively, it can be removed from an existing PSQL installations by modifying the installation to remove the optional utility by selecting 'Uninstall/Change' from Programs and Features, selecting the default 'Modify' option and removing the utility from the installation.