 |
 Another hole in just another company's antivirus
February 28, 2005
Trend Micro's antivirus scanner has been found to contain similar vulnerabilities to those of its major rivals, Symantec and F-Secure.
It becomes funny how one company, Internet Security Systems, manages to pinpoint problems in major antivirus producers' wares on almost a daily basis. It is the third time it has found a serious vulnerability hidden inside an antivirus product.
In its published advisory, the company said that the problem stems from a way Trend Micro's virus scanner checks the files when it scours them for viruses. When the scan is performed, users risk infecting their computers with a virus, rather then getting rid from it. The problem stems from a so-called heap buffer overflow bug, the one that has plagued two other antivirus products in the near past.
Following the bug in ARJ file parsing in Trend Micro virus-scanning products, there's a significant likelihood that the vulnerability could potentially lead to the execution of attack code in the context of the scanner.
The vulnerability affects Trend Micro's Antivirus Library, a common set of code used by at least 29 Trend Micro products, according to separate advisories posted on Trend Micro's Web site on Wednesday and on ISS' site on Thursday. An attacker could create a program that exploits the security hole, causing the antivirus program to run a virus instead of blocking the malicious program, the companies said. Because it's a library flaw, it adds up to a broad vulnerability in Trend Micro products that could be exploited to automatically run a malicious program.
"Successful exploitation of this vulnerability could be used to gain unauthorized access to networks and machines being protected by Trend Micro Antivirus Library products," ISS said in its advisory.
According to the Trend's advisory, the company's ARJ file format parser reads file names from the ARJ local header into a 512-byte buffer. But the file names can be oversized, and the Trend engine will copy beyond the end of the buffer. The next operation after copying the file name to the buffer is to assign data to a variable pointed to by an address just beyond the 512 byte buffer.
"We looked at the issue, we verified it and found it to be true," said Joe Hartmann, North American director of antivirus research for Trend Micro. "We created a solution to it in a couple of days and...alerted our customers about the problem."
Due to the similarity of the problems between three separate products, and also the circumstances of their announcements, it is likely that other virus scanners might also follow the suit.
|
|
