Trend Micro Internet Security Pro ActiveX Control extSetOwner code execution

2010-09-02T00:00:00
ID SAINT:0B3F341FF8E98678C2BC926ED784FF93
Type saint
Reporter SAINT Corporation
Modified 2010-09-02T00:00:00

Description

Added: 09/02/2010
CVE: CVE-2010-3189
BID: 42717
OSVDB: 67561

Background

Trend Micro Internet Security Pro is a virus protection and Internet security product for home users.

Problem

A vulnerability in the UfPBCtrl.dll ActiveX control allows command execution when a user loads a web page which calls the extSetOwner function with an invalid address argument.

Resolution

Apply the hotfix referenced in Solution ID EN-1056426.

References

<http://www.zerodayinitiative.com/advisories/ZDI-10-165/>

Limitations

Exploit works on Trend Micro Internet Security Pro 17.50.1647 and requires a user to load the exploit page in Internet Explorer 6 or 7.

Platforms

Windows