CVE-2004-1906
Description
Mcafee FreeScan ActiveX buffer overflow via long ScanParam property enables DoS or remote code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Mcafee FreeScan ActiveX buffer overflow via long ScanParam property enables DoS or remote code execution.
Vulnerability
Mcafee FreeScan (ActiveX control McFreeScan.CoMcFreeScan.1) is vulnerable to a buffer overflow when a long string is passed to the ScanParam property. Affected versions as of April 2004. [1]
Exploitation
An attacker can exploit this remotely by hosting a malicious webpage that creates the COM object and assigns an overly long string to ScanParam. No authentication required; user must visit the page with the control installed. [1]
Impact
Successful exploitation can cause denial of service or possibly execute arbitrary code on the victim's system. Additionally, the control may disclose private information such as Windows folder and My Documents path, revealing the username. [1]
Mitigation
No patch described in the reference; users should avoid using the control or restrict ActiveX execution in the browser. [1]
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing bounds checking on the ScanParam property of the McFreeScan.CoMcFreeScan.1 COM object allows a buffer overflow when an overly long string is assigned."
Attack vector
An attacker hosts a malicious web page that uses VBScript to create the `McFreeScan.CoMcFreeScan.1` COM object via `CreateObject`. The script then assigns an extremely long string (over 700,000 characters) to the `ScanParam` property of that object. When the `Scan` method is subsequently called, the oversized input overflows a buffer, potentially allowing arbitrary code execution in the context of the victim user. The attack is remote and requires only that the victim visits the crafted page using Internet Explorer on a system where the FreeScan ActiveX control has been registered [ref_id=1].
Affected code
The vulnerability resides in the `ScanParam` property of the `McFreeScan.CoMcFreeScan.1` COM object, which is part of the McAfee FreeScan ActiveX control. The advisory identifies that assigning a string longer than approximately 700,000 characters to this property triggers a buffer overflow [ref_id=1]. No patch or source code is provided in the bundle, so the exact function and file path are not specified.
What the fix does
The bundle contains no patch or vendor advisory describing a fix. The researcher's disclosure does not indicate that McAfee released a security update at the time of publication. Without a patch, the only remediation is to remove or disable the vulnerable ActiveX control, for example by setting the kill bit for the `McFreeScan.CoMcFreeScan.1` CLSID in Internet Explorer [ref_id=1].
Preconditions
- configThe victim must have previously visited the McAfee FreeScan website, which installs and registers the McFreeScan.CoMcFreeScan.1 COM object.
- configThe victim must use a browser that supports ActiveX and VBScript (e.g., Internet Explorer).
- networkThe attacker must be able to host a web page reachable by the victim.
- authNo authentication is required; the control can be created remotely after initial installation.
Reproduction
The following VBScript PoC, reproduced from the advisory, triggers the overflow. Save as an .htm file and open in Internet Explorer on a system where McAfee FreeScan has been used at least once.
```vbscript Set mymy2 = CreateObject("McFreeScan.CoMcFreeScan.1") ' Build a long string of 'a' characters (truncated for brevity; see full PoC in advisory) mymy2.ScanParam = "c:\" & [very long string of 'a' characters > 700000 bytes] & "\" mymy2.Scan ```
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- lists.grok.org.uk/pipermail/full-disclosure/2004-April/019877.htmlnvdExploit
- theinsider.deep-ice.com/texts/advisory54.txtnvdExploit
- www.securityfocus.com/bid/10071nvdExploit
- lists.grok.org.uk/pipermail/full-disclosure/2004-April/019891.htmlnvd
- marc.infonvd
- secunia.com/advisories/11313nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/15772nvd
News mentions
0No linked articles in our index yet.