‫ McAfee Virtual Technician MVTControl ActiveX Control Code Execution Vulnerability

IRCNE2012051892
 
ID: IRCNE2012051892
Release Date: 2012-05-01
Criticality level: Highly critical
 
Software:
    McAfee Virtual Technician 6.x
    McAfee Virtual Technician MVTControl ActiveX Control 6.x
 
Description:
Andrea Micalizzi has discovered a vulnerability in McAfee Virtual Technician MVTControl ActiveX Control, which can be exploited by malicious people to compromise a user's system.
 
The vulnerability is caused due to the "GetObject()" method (mvt.dll) allowing to instantiate arbitrary COM objects. This can be exploited to e.g. use the "WScript.Shell" component and execute arbitrary commands via the "Exec()" method.
 
Successful exploitation allows execution of arbitrary code.
 
The vulnerability is confirmed in version 6.3.0.1911. Other versions may also be affected.
 
Solution
Set the kill-bit for the affected ActiveX control.
 
References:
 
Secunia:
 

نظرات

بدون نظر
شما برای نظر دادن باید وارد شوید

نوشته

 
تاریخ ایجاد: 13 اردیبهشت 1391

امتیاز

امتیاز شما
تعداد امتیازها:0