|
|
|
|
| |
Credit:
The information has been provided by Secunia Research.
The original article can be found at: http://secunia.com/secunia_research/2008-32/
|
| |
Vulnerable Systems:
* Trend Micro HouseCall ActiveX Control version 6.51.0.1028
* Trend Micro HouseCall ActiveX Control version 6.6.0.1278
Immune Systems:
* Trend Micro HouseCall ActiveX Control version 6.6.0.1285
The vulnerability is caused due to an implementation error within the HouseCall ActiveX control (Housecall_ActiveX.dll). This can be exploited to e.g. download and load an arbitrary library file by specifying a custom update server.
Successful exploitation allows execution of arbitrary code.
Solution:
Remove the ActiveX control and install version 6.6.0.1285 by going to http://prerelease.trendmicro-europe.com/hc66/launch/
HouseCall Server Edition:
* Apply hotfix B1285.
Time Table:
18/08/2008 - Vendor notified.
19/08/2008 - Vendor response.
02/09/2008 - Vendor acknowledges vulnerability.
03/09/2008 - Vendor asks if version 6.6 is also affected.
03/09/2008 - Vendor informed that version 6.6 is not available.
09/09/2008 - Vendor informs that version 6.6 site is now accessible.
18/09/2008 - Vendor informed that version 6.6 is not affected by the current exploit, but will be checked in-depth later.
23/09/2008 - Vendor informed that version 6.6 is also vulnerable when using a slightly modified exploit.
27/09/2008 - Vendor provides status update.
13/11/2008 - Status update requested.
13/11/2008 - Vendor provides status update.
14/11/2008 - Vendor provides hotfix for testing.
14/11/2008 - Informed the vendor that the supplied hotfix does not address the vulnerability properly.
18/11/2008 - Vendor requests updated exploit.
19/11/2008 - Updated exploit sent to the vendor.
22/12/2008 - Status update requested.
22/12/2008 - Vendor informs that hotfix for SA31583 also fixes this vulnerability.
22/12/2008 - Public disclosure.
CVE Information:
CVE-2008-2434
|
|
|
|
|
