Brendan Saulsbury

**Name of the Vulnerable Software and Affected Versions** SecureConnector agent (affected versions not specified) **Description** The issue concerns the SecureConnector agent's handling of downloaded files. When the agent downloads plugin scripts and executables from the CounterACT management appliance, it fails to set any permissions on these files. This allows a malicious user to take ownership of the files, modify them, and then have them executed under SYSTEM privileges. A malicious unprivileged user can overwrite the executable files with malicious code before the SecureConnector agent executes them, resulting in the malicious code being run under the SYSTEM account. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SecureConnector agent (affected versions not specified) **Description** The SecureConnector agent runs under the local SYSTEM account and executes plugin scripts and executables on the endpoint to gather and report information to the CounterACT management appliance. These executable files are downloaded to and run from the %TEMP% directory of the currently logged on user. A batch file with SYSTEM privileges is run from this temp directory. If the naming convention of this script can be derived, it may be possible to overwrite the legitimate batch file with a malicious one before execution. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited. **Recommendations** To mitigate the risk, consider setting the configuration property `config.script run folder.value` in the local.properties configuration file on the CounterACT management appliance to change the directory where scripts are run. However, note that the batch file executed by SecureConnector does not follow this property. As a temporary workaround, restrict access to the temp directory of the currently logged on user to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Java SE JDK and JRE versions prior to 7, 6 Update 27, 5.0 Update 31, and 1.4.2 33 JRockit version R28.1.4 and earlier **Description** The issue allows remote attackers to affect confidentiality, integrity, and availability, related to RMI. **Recommendations** For Java SE JDK and JRE versions prior to 7, 6 Update 27, 5.0 Update 31, and 1.4.2 33, update to a version that is not affected by this issue. For JRockit version R28.1.4 and earlier, update to a version that is not affected by this issue. As a temporary workaround, consider restricting access to RMI-related functionality until a patch is available.