Vulnerability

CERT-In Vulnerability Note CIVN-2008-0196
Multiple Vulnerabilities in Trend Micro HouseCall ActiveX Control

Original Issue Date:December 23, 2008

Severity Rating: HIGH

Systems Affected

Trend Micro HouseCall ActiveX Control 6.x
Trend Micro HouseCall Server 6.x

Overview

Multiple vulnerabilities have been reported in Trend Micro HouseCall ActiveX Control which could allow attacker to execute arbitrary code and to take complete control of a vulnerable system.

Description

1. Trend Micro HouseCall ActiveX Control Arbitrary Code Execution Vulnerability ( CVE-2008-2434 )

Arbitrary code execution vulnerability has been reported in Trend Micro HouseCall ActiveX Control. This vulnerability is cause due to an implementation error within the HouseCall ActiveX Control HouseCall_ActiveX.dll . This vulnerability could be exploited by an attacker to persuade victim to specify a custom update server, download and upload a library file and execute arbitrary code on vulnerable system.

2. Trend Micro HouseCall ActiveX Control"notifyOnLoadNative" Vulnerability ( CVE-2008-2435 )

A vulnerability has been reported in Trend Micro HouseCall ActiveX control. This vulnerability is cause due to a use-after-free error in the HouseCall ActiveX Control HouseCall_ActiveX.dll . This vulnerability could be exploited by attacker to dereference previously freed memory via "notifyOnLoadNative " by convincing user to open a specially crafted HTML to execute arbitrary code on vulnerable system.

Solution

Apply appropriate patch as mentioned in Trend Micro [Hot Fix] B1285

Vendor Information

Trend Micro
http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1038646&id=EN-1038646

References

Trend Micro
http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1038646&id=EN-1038646

Secunia
http://secunia.com/advisories/31337/
http://secunia.com/advisories/31583/

SecurityFocus
http://www.securityfocus.com/bid/32965
http://www.securityfocus.com/bid/32950

SecurityTracker
http://www.securitytracker.com/alerts/2008/Dec/1021481.html

CVE Name
CVE-2008-2434
CVE-2008-2435

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Email: info@cert-in.org.in
Phone: +91-11-2436857

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India