In association with heise online

06 June 2007, 10:53

CA patches two critical vulnerabilities in multiple products

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Computer Associates has reported two vulnerabilities in several of its products, which an attacker may use to take control of a system. According to the error report, two buffer overflows that occur during the processing of crafted CAB archives are responsible for the problem, which may enable malicious code to be injected into a computer and executed. The buffer overflows occur when there are extremely long filenames in the archive and during the input of manipulated coffFiles fields. Depending on the product, user interaction isn't even required to carry out a successful attack. On the CA Anti-Virus Gateway, these types of archive, for example, will be processed automatically. Additionally, the following products are affected:

CA Anti-Virus for the Enterprise  r8, r8.1
CA Anti-Virus 2007 (v8)
eTrust EZ Antivirus r7, r6.1
CA Internet Security Suite 2007 (v3)
eTrust Internet Security Suite r1, r2
eTrust EZ Armor r1, r2, r3.x
CA Threat Manager for the Enterprise r8
CA Protection Suites r2, r3
CA Secure Content Manager 8.0
CA Anti-Virus Gateway 7.1
Unicenter Network and Systems Management (NSM) r3.0
Unicenter Network and Systems Management (NSM) r3.1
Unicenter Network and Systems Management (NSM) r11
Unicenter Network and Systems Management (NSM) r11.1
BrightStor ARCserve Backup r11.5
BrightStor ARCserve Backup r11.1
BrightStor ARCserve Backup r11 for Windows
BrightStor Enterprise Backup r10.5
BrightStor ARCserve Backup v9.01
CA Common Services
CA Anti-Virus SDK (formerly eTrust Anti-Virus SDK)

CA provides update 30.6, which should eliminate the vulnerability. It will be distributed automatically over the content update. For users of BrightStor ARCserve Backup, CA explains the update procedure in its error report.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit