Security leak in CA ActiveX module now used for exploits

Web attack toolkit developers are getting faster all the time. Some two weeks ago, a sample exploit for a security hole in an ActiveX module used by numerous CA products showed up in the milw0rm Archive. Roger Thompson reports in the Exploit Prevention Labs blog that Neosploit, which put the kit together, has expanded the attack tool with another exploit that infects visitors of manipulated websites with malware if they have the vulnerable ActiveX module installed.

Surfers on company computers are most likely to be affected, since the software that includes the ListCtrl.ocx ActiveX module is mainly used in a business environment. It includes: BrightStor ARCServe Backup for Laptops and Desktops, CA Desktop Management Suite, Unicenter Desktop Management Bundle, Unicenter Asset Management, Unicenter Software Delivery and Unicenter Remote Control. In its security advisory, CA provides a link to updated versions of the software, which administrators of the affected programs should disseminate quickly. Alternatively, the ActiveX module can be deactivated by setting a killbit on the {BF6EFFF3-4558-4C4C-ADAF-A87891C5F3A3} CLSID. Help is available in an article in Microsoft's Knowledge Base.

See also:

• AddColumn() 0day ActiveX Remote Buffer Overflow Exploit, demonstration of the security hole on the milw0rm Archive
• New Exploit Targets Corporate Users of CA Apps, Exploit Prevention Labs blog entry
• CA products using the DSM ListCtrl ActiveX control Security Notice, CA advisory

(mba)