Symantec Backup Exec Calendar ActiveX Control Multiple Vulnerabilities (SYM08-007)
High Nessus Plugin ID 31351
SynopsisThe remote Windows host has an ActiveX control that is affected by multiple vulnerabilities.
DescriptionThe remote host contains the PVATLCalendar.PVCalendar.1 ActiveX control distributed with Symantec Backup Exec for Windows Servers.
The installed version of that control reportedly contains two stack-based buffer overflows and allows for corrupting or saving malicious script code, and overwriting arbitrary files. These issues can be triggered by specially crafted arguments to the '_DOWText0'...
'_DOWText6' and '_MonthText0' ... '_MonthText11' properties and then calling the 'Save()' method.
SolutionApply the appropriate hotfix as discussed in the vendor advisory above.