CA eTrust Antivirus WebScan Buffer Overflow Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID: 1016637|
SecurityTracker URL: http://securitytracker.com/id/1016637
CVE-2006-3975, CVE-2006-3976, CVE-2006-3977
(Links to External Site)
Updated: Aug 7 2006|
Original Entry Date: Aug 4 2006
Execution of arbitrary code via network, Modification of user information, User access via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): WebScan 220.127.116.117 and prior versions|
Several vulnerabilities were reported in eTrust Antivirus WebScan. A remote user can cause arbitrary code to be executed on the target user's system.|
A remote user can create specially crafted HTML that, when loaded by the target user, will trigger a buffer overflow in WebScan and execute arbitrary code on the target system. The code will run with the privileges of the target user.
A remote user can also install arbitrary files on the target system.
The vendor was notified on July 17, 2006.
Matt Murphy of the TippingPoint Security Research Team discovered this vulnerability.
The original advisories are available at:
A remote user can create HTML that, when loaded by the target user, will execute arbitrary code on the target user's system.|
A remote user can also install arbitrary files on the target user's system.
The vendor has issued a fixed version (18.104.22.1688), available at:|
Vendor URL: www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34509 (Links to External Site)
Boundary error, Input validation error|
|Underlying OS: Windows (Any)|
Source Message Contents
Subject: CAID 34509 - CA eTrust Antivirus WebScan vulnerabilities|
Title: CA eTrust Antivirus WebScan vulnerabilities
CA Vulnerability ID (CAID): 34509
CA Advisory Date: 2006-08-03
Matt Murphy of the TippingPoint Security Research Team
Impact: Remote attacker can execute arbitrary code.
Summary: Ca eTrust Antivirus WebScan is a free, web-based virus
scanner that is located at
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx. CA eTrust
Antivirus WebScan v22.214.171.1247 and earlier contains vulnerabilities
that can allow a remote attacker to execute arbitrary code or
compromise the integrity of the WebScan software. The first
vulnerability is due to a failure to properly validate parameters.
The second vulnerability is due to a buffer overflow in WebScan.
Matt Murphy has identified multiple attack vectors that exploit
Mitigating Factors: Exploitation of these vulnerabilities is
Severity: CA has given this vulnerability a Medium risk rating.
CA eTrust Antivirus WebScan v126.96.36.1997 and earlier
Internet Explorer 4.0 or above on Microsoft Windows
Status and Recommendation:
CA eTrust Antivirus WebScan v188.8.131.528 addresses all of the
Visit http://www3.ca.com/securityadvisor/virusinfo/scan.aspx and
allow Internet Explorer to install the new webscan.cab software.
Note that the software is digitally signed by CA.
Alternatively, you can simply remove an older, vulnerable object
by using one of these two methods:
a) Start Internet Explorer, and then select "Tools" > "Internet
Options" > "General" tab. On the "General" tab, click on the
"Settings" button in the "Temporary Internet Files" section. On
the "Settings" dialog window, click on the button labeled "View
Objects" and then right-click on the "WScanCtl Class" object and
select the "Remove" option.
b) Open an Explorer window and browse to
"<system>\downloaded program files". Then right-click on the
"WScanCtl Class" object and select the "Remove" option.
Determining if you are affected:
Browse to the C:\WINDOWS\Downloaded Program Files or
C:\WINNT\Downloaded Program Files folder and check the version
number of the "WScanCtl Class" object. If the version number is
less than 1,1,0,1048, you need to update the ActiveX control.
Another way to determine if you are affected is to Start Internet
Explorer, and then select "Tools" > "Internet Options" > "General"
tab. On the "General" tab, click on the "Settings" button in the
"Temporary Internet Files" section. On the "Settings" dialog
window, click on the button labeled "View Objects" and then check
the version of the "WScanCtl Class" object. If the version number
is less than 1,1,0,1048, you need to update the ActiveX control.
Note that v184.108.40.2065 is the last version that was widely
References (URLs may wrap):
CAID Advisory link:
ZDI, founded by 3Com and TippingPoint:
CVE Reference: Pending
OSVDB Reference: Pending
Changelog for this advisory:
v1.0 - Initial Release
Customers who require additional information should contact CA
Technical Support at http://supportconnect.ca.com.
For technical questions or comments related to this advisory,
please send email to email@example.com, or contact me directly.
If you discover a vulnerability in CA products, please report
your findings to firstname.lastname@example.org, or utilize our "Submit a
Ken Williams ; 0xE2941985
Director, CA Vulnerability Research
CA, One Computer Associates Plaza. Islandia, NY 11749
Legal Notice http://www3.ca.com/legal/
Copyright C 2006 CA. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
-----END PGP SIGNATURE-----