-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
 
 
 
CAID 32896 - Computer Associates Vet Antivirus engine heap overflow 
vulnerability
 
 
CA Vulnerability ID: 32896
 
 
Discovery Date: 2005/04/26
 
 
Discovered By: Alex Wheeler
 
 
Title:
Computer Associates Vet Antivirus engine heap overflow vulnerability
 
 
Impact:
Remote attackers can gain privileged access.
 
 
Summary:
Computer Associates has patched a high risk vulnerability that was 
identified by Alex Wheeler.  The vulnerability affects computers 
leveraging our eTrust(TM) Vet Antivirus engine, and can allow an 
attacker to gain control of a computer through a specially crafted 
Microsoft Office document.
 
 
Severity:
Computer Associates has given this vulnerability a High risk rating.  
The Vet Antivirus Engine is included in drivers, system services to 
automatically scan any files that the computer may access.  These 
software components have privileged access to the local computer and 
are started by default by our Antivirus software installation.  In 
the worst case scenario, a remote attacker may present a specially 
crafted Microsoft Office document to a vulnerable computer for virus 
scanning and gain control of the computer without any user 
interaction.
 
 
Affected corporate products:
CA InoculateIT 6.0 (all platforms, including Notes/Exchange)
eTrust Antivirus r6.0 (all platforms, including Notes/Exchange)
eTrust Antivirus r7.0 (all platforms, including Notes/Exchange)
eTrust Antivirus r7.1 (all platforms, including Notes/Exchange)
eTrust Antivirus for the Gateway r7.0 (all modules and platforms)
eTrust Antivirus for the Gateway r7.1 (all modules and platforms)
eTrust Secure Content Manager (all releases)
eTrust Intrusion Detection (all releases)
BrightStor ARCserve Backup (BAB) r11.1 Windows
 
Affected retail products:
eTrust EZ Antivirus r6.2 - r7.0.5
eTrust EZ Armor r1.0 - r2.4.4
eTrust EZ Armor LE r2.0 - r3.0.0.14
Vet Antivirus r10.66 and below
 
 
Status:
All Computer Associates corporate products and some of our retail 
products that utilize the Vet Antivirus Engine have the ability to 
patch this vulnerability automatically.  For these products, the 
patch for this vulnerability was already rolled out as part of the 
daily Vet Signature updates on May 3, 2005, and no further action 
is required.  
 
 
Recommendation:
To make sure your system is protected, please review the solutions 
below for your specific product version.
 
  * All corporate products - You are protected if you are running 
    Vet engine 11.9.1 or later.  If running an earlier version, 
    perform a virus signature file update as soon as possible to 
    receive the patch.
 
  * eTrust EZ Antivirus r7/eTrust EZ Armor r3.1 Users - You may 
    already be up-to-date.  A new Vet engine was made available on 
    Tuesday, May 3rd.  Automatic signature file updates should have 
    downloaded this update to your system.  To verify the update, 
    please follow the instructions below:
 
    Open eTrust EZ Antivirus (double-click on the "AV" icon in your 
    system tray), then select the "Help" tab on the top-right of the 
    screen.  The engine version should be listed as 11.9.1 or later.
    If it is a lower number, perform a virus signature file update [1]
    immediately to receive the patch.
 
  * eTrust EZ Antivirus r6.x Users - Upgrade to eTrust EZ Antivirus r7
    as soon as possible.  It takes approximately 10 minutes to 
    complete this process on a high-speed connection, and all users 
    with an active license are entitled to this upgrade for free.  
    Follow the link below to upgrade now.
 
    http://consumerdownloads.ca.com/myeTrust/apps/EZAntivirus.exe
 
    - For additional upgrade instructions, click on the appropriate 
      link below:
    - Upgrading from r6.1 and above [2]
    - Upgrading from r6.0 and earlier [3]
 
    Unsure of your product version?  Follow the link in footnote [4].
 
  * eTrust EZ Armor r3 Users - An update will be pushed down to your 
    computer.  During a virus signature file update, a patch will be 
    downloaded to your computer.  The patch will require that you 
    reboot your computer for it to take effect.  We recommend that 
    you reboot right away.
       
  * eTrust EZ Armor r2.4.4 and below Users - Upgrade to eTrust EZ 
    Armor r3.1 as soon as possible.  It takes approximately 10 
    minutes to complete this process on a high-speed connection and 
    all users with an active license are entitled to this upgrade for 
    free.  Follow the link below to upgrade now.
 
    http://consumerdownloads.ca.com/myeTrust/apps/EZArmor.exe
 
    Unsure of your product version?  Follow the link in footnote [4].
 
 
CVE Reference: Pending
 
 
OSVDB Reference: Pending
 
 
Advisory URLs (note that URLs below may wrap):
 
General:
http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=32896
 
Consumer:
http://crm.my-etrust.com/login.asp?username=guest&target=DOCUMENT&openpa
rameter=1588
 
 
[1]
http://crm.my-etrust.com/login.asp?username=guest&target=DOCUMENT&openpa
rameter=61
 
[2]
http://crm.my-etrust.com/login.asp?username=guest&target=DOCUMENT&openpa
rameter=1907
 
[3]
http://crm.my-etrust.com/login.asp?username=guest&target=DOCUMENT&openpa
rameter=1911
 
[4]
http://crm.my-etrust.com/login.asp?username=guest&target=DOCUMENT&openpa
rameter=89
 
 
Should you require additional information, please contact CA 
Technical Support at http://supportconnect.ca.com.
 
 
Respectfully,
 
Ken Williams ; Vulnerability Research 
A9F9 44A6 B421 FF7D 4000 E6A9 7925 91DF E294 1985
 
 
Computer Associates International, Inc. (CA). 
One Computer Associates Plaza. Islandia, NY 11749
	
Contact Us http://ca.com/catalk.htm
Legal Notice http://ca.com/calegal.htm
Privacy Policy http://ca.com
Copyright 2005 Computer Associates International, Inc.
All rights reserved
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
 
iQA/AwUBQpLTkXklkd/ilBmFEQK1wgCcDySYgHpV67533GFUc+81zLCtuN0AoIka
OMN49pQPHS0LKFtsvqPZzevV
=Gizh
-----END PGP SIGNATURE-----