Panda ActiveScan fails to properly validate downloaded software, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
Panda ActiveScan is an online scanner that is reported to detect malware, vulnerabilities, and unknown threats. Panda ActiveScan, which is available as an ActiveX control for Internet Explorer browsers and as an NSAPI plug-in for other browsers, includes an installer component (as2stubie.dll) for downloading and installing the remaining components of the ActiveScan product (as2guiie.cab).
The Panda ActiveScan installer fails to validate the digital signature of downloaded components. The location of the components to download can also be specified by an attacker.
By convincing a victim to view an HTML document (web page, HTML email, or email attachment), an attacker could run arbitrary code with the privileges of the user running the application.
Apply an update
|Temporal||0||E:Not Defined (ND)/RL:Not Defined (ND)/RC:Not Defined (ND)|
|Environmental||0||CDP:Not Defined (ND)/TD:Not Defined (ND)/CR:Not Defined (ND)/IR:Not Defined (ND)/AR:Not Defined (ND)|
This vulnerability was reported by Will Dormann of the CERT/CC.
This document was written by Will Dormann.
|Date First Published:||2010-02-09|
|Date Last Updated:||2010-02-09 18:57 UTC|