FAQ: Is ArcGIS software susceptible to CVE-2010-3599?
Is ArcGIS software susceptible to CVE-2010-3599?
Some security tools report that ArcGIS software is susceptible to CVE-2010-3599: An error in the WriteJPG() method in the NCSEcw.dll ActiveX control can be exploited to overwrite arbitrary files or potentially cause a buffer overflow. This issue is found in some versions of NCSEcw.dll, which is used to render Enhanced Compression Wavelet (ECW) raster files.
This is a false positive. Exploiting CVE-2010-3599 requires that NCSEcw.dll be registered as a COM object in Esri software. This DLL is not registered as a COM object in ArcGIS Desktop, ArcGIS Engine, or ArcGIS Enterprise. ECW DLLs used in ArcGIS 10.4 and later do not have the COM interface (the ECW SDK version is 5.2.1 in newer versions.) In older versions of ArcGIS, the ECW 4.x SDK is used; however, the ECW DLLs are not registered nor do they use a COM interface, so this vulnerability is not exploitable from the ArcGIS/GDAL installation.
This can be verified independently. To do so, use the HTML in the appendix of the referenced document to check machines with ArcGIS Desktop and ArcGIS Engine. For example, a test on a machine running ArcGIS 10.2.2 returns the following message:
"NCSEcw.NCSRenderer" was NOT found or was unable to load Error: Automation server can't create object System not vulnerable to CVE-2010-3599. No further action required