Vulnerability assessment firm Secunia said today it is tracking two bugs and a weakness in Panda Software’s free virus scan that could lead to remote code execution.
The two vulnerabilities in Panda ActiveScan – which claims to wipe clean any of more than 110,000 viruses, worms and trojans from a user's system – are related to a flawed ActiveX control that could result in buffer overflow, according to a Secunia advisory, which rates the problem "highly critical."
A malicious website, for example, can exploit the flaws, which cause a user's system to restart without warning and provide attackers with knowledge of system files and their sizes.
Secunia also reported a weakness in Active Scan in which the flawed ActiveX control does not permit thread safety, or proper functioning when code is launched by multiple threads.
"This can be exploited by…a malicious website via a race condition to corrupt memory and execute arbitrary code," according to Secunia. Race conditions occur when system output is reliant on the timing of other events.
As a fix, Secunia suggests users upgrade to ActiveScan version 5.54.01.
Ryan Sherstobitoff, Panda's product technology officer, told SCMagazine.com this afternoon that the flaws have been patched and users should feel confident running the scan.
"Being the fact that this is an online scan, our developers were able to respond and patch this situation before it was able to affect a large amount of users," he said. "The chances of getting attacked is kind of limited because you're not running anything resident on the machine. It's pretty difficult to carry out a widespread attack."
He said he was not aware of any users being infected.
Click here to email Dan Kaplan.