The Trend Micro HouseCall ActiveX control contains a vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
The Trend Micro HouseCall ActiveX control (Housecall_ActiveX.dll) includes an update feature. A web page hosting the control can specify update server parameters, and the control does not adequately restrict the type of file or download location. Further details are available from Secunia.
Insecure software update features are a common class of vulnerability, for example, see "Secure Software Updates: Disappointments and New Challenges."
By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker can download an arbitrary file to a location writeable by the user. By writing to a location like a startup directory or a user's desktop, the attacker can increase the chances of the user executing the file.
Install updated version of HouseCall ActiveX control
|Temporal||0||E:Not Defined (ND)/RL:Not Defined (ND)/RC:Not Defined (ND)|
|Environmental||0||CDP:Not Defined (ND)/TD:Not Defined (ND)/CR:Not Defined (ND)/IR:Not Defined (ND)/AR:Not Defined (ND)|
This vulnerability was reported by Alin Rad Pop of Secunia Research.
This document was written by Art Manion.
|Date First Published:||2008-12-25|
|Date Last Updated:||2008-12-25 23:14 UTC|