Security hole in multiple Trend Micro products

An attacker could exploit a flaw in multiple Trend Micro products to launch malicious code.

Trend Micro recommends customers upgrade their scanning engine to VSAPI 7.510 or higher to fix a critical security hole in multiple widely used products. An attacker could exploit the glitch to overwrite data and launch malicious code.

The Tokyo-based security firm's advisory said the vulnerability is in the ARJ archive file format parser. "The ARJ archive file format is too flexible, especially in the file name field in the local header," the company said. "This file name is

Other security software flaws

Major flaw affects multiple Symantec products

Critical flaw affects F-Secure products

stored as a null-terminated string and limited only by the overall size of the local header (local header size is stored as a 16-bit value and is limited to 2,600 bytes only)."

The advisory added: "If the file name exceeds the maximum allocated size, the VSAPI scan engine still copies this file name into a 512-byte buffer, overwriting the succeeding data structure. One of the fields in the said data structure is a pointer to another data structure. The next instruction after the copying of the file name is an assignment instruction to a member of the structure that is referred to by the overwritten pointer. The said routine causes an illegal memory access."

An attacker could exploit this to create a specially crafted ARJ archive file that overwrites data after the allocated 512-byte buffer. The attacker could then use such a file to launch malicious code.

Trend Micro noted, however, that under normal circumstances the operating system restricts file names lengths. So an attacker would have to create a specially crafted ARJ archive file to trigger the vulnerability, "which requires ARJ file format knowledge and file manipulation skills."

ARJ is an archiving program created by Robert Jung for IBM-compatible computers. The letters stand for "Archive Robert Jung." ARJ compresses files to save storage space and speed transmission when moved from one computer to another.

A full list of affected products is outlined at the top of Trend Micro's advisory.

The security hole was discovered by Atlanta, Ga.-based Internet Security Systems Inc. (ISS). In its advisory, the firm noted that Trend Micro's AV library is "widely relied upon to provide antivirus capabilities to desktop, server, and gateway systems. Also, several large vendors and ISPs implement Trend Micro's antivirus library in their products."

This is the third time in a month that vulnerabilities have been found in the products of a large antivirus firm. Security holes have also been found and fixed in products from Finnish security firm F-Secure Corp. and Cupertino, Calif., antivirus giant Symantec.

Dig deeper on Security patch management and Windows Patch Tuesday news

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close