TippingPoint Digital Vaccine Laboratories
DID YOU KNOW... In December of 2007, Microsoft released seven security bulletins which fixed 11 new security vulnerabilities. TippingPoint and ZDI were credited with discovering a total of four of those vulnerabilities.

Computer Associates WebScan Update Processing Buffer Overflow Vulnerability

TPTI-06-06: August 7th, 2006


Affected Vendors

Affected Products

TippingPoint™ IPS Customer Protection

TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 4544. For further product information on the TippingPoint IPS:

Vulnerability Details

This vulnerability allows remote attackers to execute arbitrary code on systems with affected installations of the Computer Associates eTrust AntiVirus WebScan ActiveX component. Successful exploitation requires that the target user browse to a malicious web page. The vulnerable component is typically installed as a prerequisite to the free online WebScan found at:


The specific flaw exists during WebScan's processing of the actual manifest files delivered during a scanner update check. It downloads a 'filelist.txt' file from this server, which is used as a manifest file to describe the updates available. Each line of the file consists of four fields in the following form:

[file name] [decimal integer] [decimal integer] [decimal integer]

A lack of bounds checking on the file names specified in update manifests may lead to a buffer overflow that can be easily exploited to execute arbitrary code. As WebScan allows the server for update downloads to be specified on a web page as an initialization parameter, a malicious manifest can be delivered from any server; it is not necessary to impersonate a legitimate update server.

Vendor Response

Computer Associates has issued an update to correct this vulnerability. More details can be found at:

Disclosure Timeline

    2006-07-17 - Vulnerability reported to vendor
    2006-08-07 - Coordinated public release of advisory


This vulnerability was discovered by: