The Electronic Arts SnoopyCtrl ActiveX control and plug-in contains multiple stack buffer overflows, which could allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
Electronic Arts (EA.com) provides an ActiveX control and Netscape-style plug-in called SnoopyCtrl. This control, provided by NPSnpy.dll, is included with an EA.com update package. The SnoopyCtrl ActiveX control and plug-in contains buffer overflow vulnerabilities in multiple methods and initialization parameters.
By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), a remote, unauthenticated attacker may be able to execute arbitrary code with the privileges of the user on a vulnerable system.
We are currently unaware of a practical solution to this problem. Please consider the following workarounds
Disable the SnoopyCtrl ActiveX control in Internet Explorer
This vulnerability was reported by Will Dormann of the CERT/CC.
This document was written by Will Dormann.
|Date First Published:||2007-10-08|
|Date Last Updated:||2007-10-09 13:40 UTC|