Arbitrary Code Execution in Trend Micro HouseCall ActiveX Control
CVE-2008-2434

Currently unrated

Key Information:

Vendor: Trend Micro
Status: Housecall
Vendor: CVE Published:; 23 December 2008

Summary

The Trend Micro HouseCall ActiveX control contains a vulnerability that allows remote attackers to exploit the 'custom update server' argument, enabling them to download arbitrary library files onto users' systems. This could potentially be leveraged for executing malicious code by placing files into a Startup folder, leading to unauthorized code execution whenever the system starts.

References

http://www.kb.cert.org/vuls/id/541025

third-party-advisoryx_refsource_CERT-VN

https://exchange.xforce.ibmcloud.com/vulnerabilities/47524

vdb-entryx_refsource_XF

http://securityreason.com/securityalert/4802

third-party-advisoryx_refsource_SREASON

EPSS Score

23% chance of being exploited in the next 30 days.

Timeline

Vulnerability published
Dec 23, 2008
Vulnerability Reserved
May 27, 2008