[ISN] Highly-Critical Flaw Discovered in Trend Micro Products

From: InfoSec News (alerts@private)
Date: Thu Feb 08 2007 - 22:04:54 PST


By Don E. Sears
February 8, 2007

A dangerous buffer-overflow flaw in Trend Micro anti-virus software 
products was reported by Trend Micro and confirmed by security 
researchers at iDefense Labs.

Researchers at Secunia have also posted an advisory on this 
vulnerability and have deemed this to be highly critical.

This flaw can be exploited in both Windows and Linux systems, and could 
be used to gain access to machines, cause DOS (denial of service) 
activity and allow attackers total control of affected systems.

Trend Micro responded to the vulnerability by pushing out a patch that a 
company spokesperson says fixes the issue.

"We have seen no cases in the wild, but Trend Micro moved quickly on 
this because, like others, we understand the highly critical nature of 
this issue," a company representative told eWEEK. 

The vulnerability targets all scan engine and pattern file technology in 
Trend Micro products due to an error within UPX (ultimate packer for 
executables) compressed executables. This error can be exploited to 
cause buffer overflow processes when scanning a uniquely designed UPX 

In Windows, the scan engine runs in kernel context. Under Linux, the 
scan engine runs as a daemon with superuser privileges, hence the 
ability to have complete system control.

iDefense reports that the following configurations are vulnerable:

* Trend Micro's PC-Cillin Internet Security 2007
* VsapiNI.sys (scan engine) version 3.320.0.1003
* ServerProtect for Linux v2.5 on RHEL 4.x
* vsapiapp version 8.310

Trend Micro said that the majority of its customers use automatic 
updates, and therefore received the patch that fixes the problem within 
24 hours.

"Trend Micro is including the fix in VSAPI 8.5, which is expected to 
launch in Q2 2007. In the meantime, Trend Micro has created a pattern 
update (4.245.0) to detect this vulnerability. The pattern update was 
made available on February 5, 2007," said the company spokesperson.

For those customers that do not use automatic updates, Trend Micro 
highly recommends that its customers update to Virus Pattern File 
4.245.00 or higher.

Representatives from iDefense and Secunia could not be reached for 
comment at the time of this reporting.

Subscribe to the InfoSec News RSS Feed

This archive was generated by hypermail 2.1.3 : Thu Feb 08 2007 - 22:14:28 PST