Article

Security hole in multiple Trend Micro products

Bill Brenner

Trend Micro recommends customers upgrade their scanning engine to VSAPI 7.510 or higher to fix a critical security hole in multiple widely used products. An attacker could exploit the glitch to overwrite data and launch malicious code.

The Tokyo-based security firm's advisory

    Requires Free Membership to View

said the vulnerability is in the ARJ archive file format parser. "The ARJ archive file format is too flexible, especially in the file name field in the local header," the company said. "This file name is
Other security software flaws

Major flaw affects multiple Symantec products

Critical flaw affects F-Secure products

stored as a null-terminated string and limited only by the overall size of the local header (local header size is stored as a 16-bit value and is limited to 2,600 bytes only)."

The advisory added: "If the file name exceeds the maximum allocated size, the VSAPI scan engine still copies this file name into a 512-byte buffer, overwriting the succeeding data structure. One of the fields in the said data structure is a pointer to another data structure. The next instruction after the copying of the file name is an assignment instruction to a member of the structure that is referred to by the overwritten pointer. The said routine causes an illegal memory access."

An attacker could exploit this to create a specially crafted ARJ archive file that overwrites data after the allocated 512-byte buffer. The attacker could then use such a file to launch malicious code.

Trend Micro noted, however, that under normal circumstances the operating system restricts file names lengths. So an attacker would have to create a specially crafted ARJ archive file to trigger the vulnerability, "which requires ARJ file format knowledge and file manipulation skills."

ARJ is an archiving program created by Robert Jung for IBM-compatible computers. The letters stand for "Archive Robert Jung." ARJ compresses files to save storage space and speed transmission when moved from one computer to another.

A full list of affected products is outlined at the top of Trend Micro's advisory.

The security hole was discovered by Atlanta, Ga.-based Internet Security Systems Inc. (ISS). In its advisory, the firm noted that Trend Micro's AV library is "widely relied upon to provide antivirus capabilities to desktop, server, and gateway systems. Also, several large vendors and ISPs implement Trend Micro's antivirus library in their products."

This is the third time in a month that vulnerabilities have been found in the products of a large antivirus firm. Security holes have also been found and fixed in products from Finnish security firm F-Secure Corp. and Cupertino, Calif., antivirus giant Symantec.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: