CVE-2008-2435

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

SecuriTeam™
Beyond Security®

SecuriTeam™ Home
Ask the Team
Mailing Lists
Advertising Info
Blogs

	SecuriTeam™ in Your Inbox

	E-mail this CVE-2008-2435 to a friend

New vulnerability?
New tool?
Tell us

Credit:
The information has been provided by Secunia Research.
The original article can be found at: http://secunia.com/secunia_research/2008-34/

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Check for CVE-2008-2435

Vulnerability Assessment and Management.
Automated Pen Testing for 50 to 50,000 nodes
beyondsecurity.com/vulnerability-scanner

Vulnerable Systems:
* Trend Micro HouseCall ActiveX Control version 6.51.0.1028
* Trend Micro HouseCall ActiveX Control version 6.6.0.1278

Immune Systems:
* Trend Micro HouseCall ActiveX Control version 6.6.0.1285

The vulnerability is caused by a use-after-free error in the HouseCall ActiveX control (Housecall_ActiveX.dll). This can be exploited to dereference previously freed memory by tricking the user into opening a web page containing a specially crafted "notifyOnLoadNative()" callback function.

Successful exploitation allows execution of arbitrary code.

Solution:
Remove the ActiveX control and install version 6.6.0.1285 available from: http://prerelease.trendmicro-europe.com/hc66/launch/

HouseCall Server Edition:
* Apply hot fix B1285.

Time Table:
25/08/2008 - Vendor notified.
26/08/2008 - Vendor response.
21/12/2008 - Public disclosure.

CVE Information:
CVE-2008-2435

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus