[34629] in bugtraq
Re: BitDefender Scan Online(ActiveX) - Remote File Download &
daemon@ATHENA.MIT.EDU (Sami POTIRCA)
Wed Apr 21 02:56:51 2004
From: Sami POTIRCA <spotirca@bitdefender.com>
Reply-To: spotirca@bitdefender.com
To: "Rafel Ivgi, The-Insider" <theinsider@012.net.il>
Cc: bugtraq@securityfocus.com
In-Reply-To: <000601c425e3$a0eb0fe0$3358b350@fucku>
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-wLiO+d6E6AVzgYBTh8AK"
Message-Id: <1082467342.837.26.camel@spotirca.dsd.ro>
Mime-Version: 1.0
Date: Tue, 20 Apr 2004 16:22:23 +0300
--=-wLiO+d6E6AVzgYBTh8AK
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
On Mon, 2004-04-19 at 10:55, Rafel Ivgi, The-Insider wrote:
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>=20
> Application: BitDefender Scan Online(ActiveX)
> Vendors: http://www.bitdefender.com/scan/Msie/index.php
> Platforms: Windows
> Bug: Remote File Download & Execute & Private Information
> Disclosure
> Risk: High - Running Arbitary Code
> Exploitation: Remote with browser
> Date: 19 Apr 2004
> Author: Rafel Ivgi, The-Insider
> e-mail: the_insider@mail.com
> web: http://theinsider.deep-ice.com
>=20
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The problem was solved yesterday, the ActiveX control was updated. In
order to=20
apply the update, a user has to access the scan online webpage (on=20
bitdefender.com or partner sites) and allow the update.
Btw... it would have been really nice not to expose users to this=20
vulnerability and let us know prior to making it public.
- --
Sami POTIRCA
BitDefender Linux Project Manager=20
- -------------------------------------
SOFTWIN
Data Security Division
- -------------------------------------
e-mail: oconstantin@bitdefender.com
phone: +(4021) 233 18 52; 233 07 80
fax: (+4021) 233.07.63
Bucharest, ROMANIA
http://www.bitdefender.com
http://www.softwin.ro
- -------------------------------------
secure your every bit
- -------------------------------------
--=-wLiO+d6E6AVzgYBTh8AK
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQBAhSQNdP2rgt15+9sRApmGAJ0SF4/hRs/AuYnwk9YWxvws0A+gswCff6OS
BaljvM47dyPjaT/OlbDxjiA=
=QMSH
-----END PGP SIGNATURE-----
--=-wLiO+d6E6AVzgYBTh8AK--
