ARC Informatique PcVue Multiple ActiveX Vulnerabilities
September 27, 2011 (updated December 6, 2011)
Independent researcher Kuang-Chun Hung of Security Research
and Service Institute Information and Communication Security
Technology Center (ICST) privately identified a buffer
overflow vulnerability in ARC Informatique's PcVue
application.
Independent researcher Luigi Auriemma publicly disclosed
four vulnerabilities along with proof-of-concept (PoC)
exploit code, including the vulnerability privately
disclosed by ICST.
The PcVue ActiveX control is prone to multiple
vulnerabilities, including potential to write memory,
possible file corruption, remote code execution, and denial
of service.
Successfully exploiting these issues allows remote attackers
to create or overwrite arbitrary local files and execute
arbitrary code. Failed exploit attempts may result in a
denial-of-service condition.
According to ARC Informatique the following products are
affected:
- PcVue - All versions from 6.xx onward
- FrontVue - All versions
- PlantVue - All versions