Title: CA eTrust Antivirus WebScan vulnerabilities CA Vulnerability ID (CAID): 34509 CA Advisory Date: 2006-08-03 Discovered By: Matt Murphy of the TippingPoint Security Research Team Impact: Remote attacker can execute arbitrary code. Summary: Ca eTrust Antivirus WebScan is a free, web-based virus scanner that is located at http://www3.ca.com/securityadvisor/virusinfo/scan.aspx. CA eTrust Antivirus WebScan v1.1.0.1047 and earlier contains vulnerabilities that can allow a remote attacker to execute arbitrary code or compromise the integrity of the WebScan software. The first vulnerability is due to a failure to properly validate parameters. The second vulnerability is due to a buffer overflow in WebScan. Matt Murphy has identified multiple attack vectors that exploit these vulnerabilities. Mitigating Factors: Exploitation of these vulnerabilities is non-trivial. Severity: CA has given this vulnerability a Medium risk rating. Affected Products: CA eTrust Antivirus WebScan v1.1.0.1047 and earlier Affected platforms: Internet Explorer 4.0 or above on Microsoft Windows Status and Recommendation: CA eTrust Antivirus WebScan v1.1.0.1048 addresses all of the vulnerabilities. Visit http://www3.ca.com/securityadvisor/virusinfo/scan.aspx and allow Internet Explorer to install the new webscan.cab software. Note that the software is digitally signed by CA. Alternatively, you can simply remove an older, vulnerable object by using one of these two methods: a) Start Internet Explorer, and then select "Tools" > "Internet Options" > "General" tab. On the "General" tab, click on the "Settings" button in the "Temporary Internet Files" section. On the "Settings" dialog window, click on the button labeled "View Objects" and then right-click on the "WScanCtl Class" object and select the "Remove" option. b) Open an Explorer window and browse to "<system>\downloaded program files". Then right-click on the "WScanCtl Class" object and select the "Remove" option. Determining if you are affected: Browse to the C:\WINDOWS\Downloaded Program Files or C:\WINNT\Downloaded Program Files folder and check the version number of the "WScanCtl Class" object. If the version number is less than 1,1,0,1048, you need to update the ActiveX control. Another way to determine if you are affected is to Start Internet Explorer, and then select "Tools" > "Internet Options" > "General" tab. On the "General" tab, click on the "Settings" button in the "Temporary Internet Files" section. On the "Settings" dialog window, click on the button labeled "View Objects" and then check the version of the "WScanCtl Class" object. If the version number is less than 1,1,0,1048, you need to update the ActiveX control. Note that v1.1.0.1045 is the last version that was widely distributed. References (URLs may wrap): CA SupportConnect: http://supportconnect.ca.com/ CAID: 34509 CAID Advisory link: http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34509 ZDI, founded by 3Com and TippingPoint: http://www.zerodayinitiative.com/ CVE Reference: Pending http://cve.mitre.org/ OSVDB Reference: Pending http://osvdb.org/ Changelog for this advisory: v1.0 - Initial Release Customers who require additional information should contact CA Technical Support at http://supportconnect.ca.com. For technical questions or comments related to this advisory, please send email to vuln@xxxxxx, or contact me directly. If you discover a vulnerability in CA products, please report your findings to vuln@xxxxxx, or utilize our "Submit a Vulnerability" form. URL: http://www3.ca.com/securityadvisor/vulninfo/submit.aspx Regards, Ken Williams ; 0xE2941985 Director, CA Vulnerability Research CA, One Computer Associates Plaza. Islandia, NY 11749 Contact http://www3.ca.com/contact/ Legal Notice http://www3.ca.com/legal/ Privacy Policy http://www3.ca.com/privacy/ Copyright (c) 2006 CA. All rights reserved.
