------------------------------------------------------------------ SNS Advisory No.80 nProtect:Netizen Arbitrary File Download Vulnerability Problem first discovered on: Wed, 13 Apr 2005 Published on: Mon, 25 Apr 2005 ------------------------------------------------------------------ Severity Level: --------------- Medium Overview: --------- A vulnerability in nProtect:Netizen could result in downloading an arbitrary code into the path which an attacker specified on the vulnerable system. Problem Description: -------------------- nProtect:Netizen is an ActiveX control which designed for protecting users from virus, unauthorised access, phishing, etc. nProtect:Netizen tries to check update module when it's launched. If nProtect:Netizen could finds an updated module, the program would try to download it. A malicious website administrator can induce a user to view a specially crafted web site which could download an arbitrary file into the path that the attacker specified. Tested Versions: ---------------- nProtect:Netizen Ver.2005.3.17.1 Solution: --------- Update to the fixed version of nProtect:Netizen available at: connectting with the web site where this product is used, and pushing the start button for it. Discovered by: -------------- Keigo Yamazaki Thanks to: ---------- This SNS Advisory is being published in coordination with Information-technology Promotion Agency, Japan (IPA) and JPCERT/CC. http://jvn.jp/jp/JVN%23AF02FB4B/index.html http://www.ipa.go.jp/security/vuln/documents/2005/JVN_AF02FB4B_nProtect.html Disclaimer: ----------- The information contained in this advisory may be revised without prior notice and is provided as it is. Users shall take their own risk when taking any actions following reading this advisory. LAC Co., Ltd. shall take no responsibility for any problems, loss or damage caused by, or by the use of information provided here. This advisory can be found at the following URL: http://www.lac.co.jp/business/sns/intelligence/SNSadvisory_e/80_e.html
