Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
SecuriTeam™  Beyond Security®  SecuriTeam™ Home  Ask the Team  Mailing Lists  Advertising Info  Blogs SecuriTeam™ in Your Inbox   E-mail this CVE-2007-3675 to a friend New vulnerability? New tool? Tell us	CVE-2007-3675 Kaspersky Web Scanner ActiveX Format String Vulnerability     Credit: The information has been provided by iDefense. The original article can be found at: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=606 Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    CVE-2007-3675 Details Check for CVE-2007-3675 Vulnerability Assessment and Management. Automated Pen Testing for 50 to 50,000 nodes beyondsecurity.com/vulnerability-scanner Vulnerable Systems:  * Kaspersky Lab's kavwebscan.dll version 5.0.93.0.  * Previous versions are suspected to be vulnerable. This vulnerability specifically exists in the Kaspersky online virus scanner ActiveX control. The ActiveX control in question has the following identifiers: ProgID: kavwebscan.CKAVWebScan ClassID: 0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75 File: kavwebscan.dll This ActiveX control passes attacker supplied data as the format string parameter of various string formatting functions. This is presumably done to enable displaying localized messages from within the HTML page. By rendering a specially crafted web page using this ActiveX control, a heap based buffer overflow could occur. Exploitation of this vulnerability would allow a remote attacker to execute arbitrary code within the context of the targeted user. To exploit this vulnerability, an attacker would need to persuade the victim into viewing a malicious website. This ActiveX control is installed during the use of the Kaspersky Online Virus Scanner. Once the vulnerable ActiveX control is installed, it will remain installed until they explicitly remove it. If the user doesn't have Kaspersky Online Scanner Control installed, the exploit page could prompt the user to install this ActiveX. Though this is a format string vulnerability, the traditional "%n" technique will not work. This is due to this ActiveX being compiled with Microsoft Visual Studio 2005, in which the "%n" format specifier is disabled by default. However, the attacker could still exploit the vulnerability using other methods. Workaround: Setting the kill-bit for this control will prevent it from being loaded within Internet Explorer. However, doing so will also prevent legitimate use of the control. Vendor Status: Kaspersky Lab has addressed this vulnerability by publishing a new version of the vulnerable ActiveX control. For more information, consult Kaspersky's press release at the following URL. http://www.kaspersky.com/news?id=207575572 CVE Information: CVE-2007-3675 Disclosure Timeline:  * 06/20/2007 - Initial vendor notification  * 06/21/2007 - Initial vendor response  * 10/10/2007 - Coordinated public disclosure  Comments on CVE-2007-3675:  Add new comment:  Subject:  Name/Nick/Email:          Chars Left:	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Copyright © 1998-2010 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®