McAfee VirusScan ActiveX Controls Let Remote Users Access the Target User’s System

Date:  Apr 27 2004
 
Impact:  User access via network
 
Exploit Included:  Yes  
 
Description:  A vulnerability was reported in McAfee VirusScan. A remote user may be able to access a target user’s system.

Jonathan Payne reported that the software appears to install several non-secure ActiveX controls. A remote user can reportedly create HTML that, when loaded by the target user, will invoke the ActiveX controls and access the target user’s system.

A demonstration exploit that accesses the target user’s Windows registry is provided in the Source Message.
 
Impact:  A remote user can create HTML that, when loaded by the target user, will be able to access the target user’s system.
 
Solution:  No solution was available at the time of this entry.
 
Vendor URL:  www.mcafee.com/
Cause:  Access control error
Underlying OS:  Windows (Any)

http://www.securitytracker.com/alerts/2004/Apr/1009956.html

Leave a Reply