TippingPoint Digital Vaccine Laboratories
DID YOU KNOW... At the 2007 Black Hat Briefings in Las Vegas, TippingPoint DVLabs had five speakers presenting on a variety of topics.

Computer Associates eTrust AntiVirus WebScan Automatic Update Code Execution Vulnerability

TPTI-06-05: August 7th, 2006


Affected Vendors

Affected Products

TippingPoint™ IPS Customer Protection

TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 4544. For further product information on the TippingPoint IPS:

Vulnerability Details

This vulnerability allows remote attackers to execute arbitrary code on systems with affected installations of the Computer Associates eTrust AntiVirus WebScan ActiveX component. Successful exploitation requires that the target user browse to a malicious web page. The vulnerable component is typically installed as a prerequisite to the free online WebScan found at:

The specific flaw exists during the automatic update process for the WebScan ActiveX component. WebScan allows the initializing web page to specify the location that the component will use to download and install updates through the 'SigUpdatePathFTP' parameter (and potentially the 'SigUpdatePathHTTP' parameter). It downloads the 'filelist.txt' manifest and acquires any update files it lists. There is no verification performed by WebScan to assure the authenticity of the information in the file list or the files themselves. This leads to a possibility of two unique attacks.

In the first attack (CVE-2006-3976), an attacker compresses a malicious file, creates a file listing that includes it and then points the update path to his/her server. The WebScan component will download and decompress the file on the local system. Other components on the system may load the file, and certain files (such as arclib.dll and vete.dll) will be loaded by WebScan itself. If either of these files is replaced by a malicious version, it becomes possible for an attacker to gain control of the system WebScan is installed on during the scanner's initialization process.

In the second attack (CVE-2006-3977), an attacker compresses an outdated version of a legitimate Computer Associates file, and lists an inaccurate timestamp for the file in the update server's file listing. There is no verification on the time/date information provided by the remote server. It is possible for an attacker to install a legitimate but extremely outdated version of virus definition files or engine components to severely limit the scope of the protection provided by WebScan.

Vendor Response

Computer Associates has issued an update to correct this vulnerability. More details can be found at:

Disclosure Timeline

    2006-07-17 - Vulnerability reported to vendor
    2006-08-07 - Coordinated public release of advisory


This vulnerability was discovered by:
    Matthew Murphy, TippingPoint Security Research Team