Trend Micro recommends customers upgrade their scanning engine to VSAPI 7.510 or higher to fix a critical security hole in multiple widely used products. An attacker could exploit the glitch to overwrite data and launch malicious code.
The Tokyo-based security firm's advisory
Requires Free Membership to View
SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!
Michael S. Mimoso, Editorial Director
said the vulnerability is in the ARJ archive file format parser. "The ARJ archive file format is too flexible, especially in the file name field in the local header," the company said. "This file name is
 |
||||
|
|
|||
|
||||
The advisory added: "If the file name exceeds the maximum allocated size, the VSAPI scan engine still copies this file name into a 512-byte buffer, overwriting the succeeding data structure. One of the fields in the said data structure is a pointer to another data structure. The next instruction after the copying of the file name is an assignment instruction to a member of the structure that is referred to by the overwritten pointer. The said routine causes an illegal memory access."
An attacker could exploit this to create a specially crafted ARJ archive file that overwrites data after the allocated 512-byte buffer. The attacker could then use such a file to launch malicious code.
Trend Micro noted, however, that under normal circumstances the operating system restricts file names lengths. So an attacker would have to create a specially crafted ARJ archive file to trigger the vulnerability, "which requires ARJ file format knowledge and file manipulation skills."
ARJ is an archiving program created by Robert Jung for IBM-compatible computers. The letters stand for "Archive Robert Jung." ARJ compresses files to save storage space and speed transmission when moved from one computer to another.
A full list of affected products is outlined at the top of Trend Micro's advisory.
The security hole was discovered by Atlanta, Ga.-based Internet Security Systems Inc. (ISS). In its advisory, the firm noted that Trend Micro's AV library is "widely relied upon to provide antivirus capabilities to desktop, server, and gateway systems. Also, several large vendors and ISPs implement Trend Micro's antivirus library in their products."
This is the third time in a month that vulnerabilities have been found in the products of a large antivirus firm. Security holes have also been found and fixed in products from Finnish security firm F-Secure Corp. and Cupertino, Calif., antivirus giant Symantec.