Overview
Panda ActiveScan fails to properly validate downloaded software, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
Description
Panda ActiveScan is an online scanner that is reported to detect malware, vulnerabilities, and unknown threats. Panda ActiveScan, which is available as an ActiveX control for Internet Explorer browsers and as an NSAPI plug-in for other browsers, includes an installer component (as2stubie.dll) for downloading and installing the remaining components of the ActiveScan product (as2guiie.cab). The Panda ActiveScan installer fails to validate the digital signature of downloaded components. The location of the components to download can also be specified by an attacker. |
Impact
By convincing a victim to view an HTML document (web page, HTML email, or email attachment), an attacker could run arbitrary code with the privileges of the user running the application. |
Solution
Apply an update |
|
Vendor Information
CVSS Metrics
Group | Score | Vector |
---|---|---|
Base | 0 | AV:--/AC:--/Au:--/C:--/I:--/A:-- |
Temporal | 0 | E:Not Defined (ND)/RL:Not Defined (ND)/RC:Not Defined (ND) |
Environmental | 0 | CDP:Not Defined (ND)/TD:Not Defined (ND)/CR:Not Defined (ND)/IR:Not Defined (ND)/AR:Not Defined (ND) |
References
Acknowledgements
This vulnerability was reported by Will Dormann of the CERT/CC.
This document was written by Will Dormann.
Other Information
CVE IDs: | CVE-2009-3735 |
Severity Metric: | 9.23 |
Date Public: | 2010-02-09 |
Date First Published: | 2010-02-09 |
Date Last Updated: | 2010-02-09 18:57 UTC |
Document Revision: | 17 |