McAfee Virtual Technician ActiveX Control 'Save()' Insecure Method Vulnerability

Bugtraq ID:	58750
Class:	Design Error
CVE:	CVE-2012-5879
Remote:	Yes
Local:	No
Published:	Mar 27 2013 12:00AM
Updated:	Mar 27 2013 12:00AM
Credit:	High-Tech Bridge Security Research Lab
Vulnerable:	McAfee Virtual Technician 6.5.0.2101 McAfee ePO-MVT 1.0.8
Not Vulnerable:	McAfee Virtual Technician 7.1 McAfee ePO-MVT 1.1.0

McAfee Virtual Technician ActiveX Control 'Save()' Insecure Method Vulnerability

McAfee Virtual Technician ActiveX control is prone to a vulnerability caused by an insecure method.

Successfully exploiting this issue allows remote attackers to overwrite arbitrary files in the context of the application (typically Internet Explorer) that is using the ActiveX control.

McAfee Virtual Technician 6.5.0.2101 is vulnerable; other versions may also be affected.

McAfee Virtual Technician ActiveX Control 'Save()' Insecure Method Vulnerability

To exploit this issue, an attacker must entice an unsuspecting user to view a maliciously crafted web page.

The following exploits are available:

• /data/vulnerabilities/exploits/58750.txt

McAfee Virtual Technician ActiveX Control 'Save()' Insecure Method Vulnerability

Solution:
Updates are available. Please see the references or vendor advisory for more information.

McAfee Virtual Technician ActiveX Control 'Save()' Insecure Method Vulnerability

References:

• McAfee Virtual Technician ActiveX Control Insecure Method (High-Tech Bridge)
  
• McAfee Virtual Technician Product Homepage (McAfee)
  
• McAfee MVT & ePO-MVT update fixes an "Escalation of Privileges" vulnerability (McAfee)