[THIN] ALERT: Trend Micro AV Ushers Hackers Right In

  • From: "Jim Kenzig Kenzig.com" <jkenzig@xxxxxxxxx>
  • To: thin@xxxxxxxxxxxxx, windows2000@xxxxxxxxxxxxx
  • Date: Mon, 28 Feb 2005 06:48:37 -0800 (PST)

For those using Trend...ooooh boy!
JK
Trend Micro AV Ushers Hackers Right InSeverity: High
25 February, 2005
Summary:
On Wednesday, Trend Micro quietly released an alert describing a critical 
buffer overflow vulnerability affecting 29 of their antivirus (AV) 
applications. By sending an e-mail containing a specially-crafted attachment, 
an attacker could exploit this flaw to execute code and gain total control of 
any machine running Trend Micro AV. Since AV software scans incoming files 
automatically, the attack can succeed even if the victim does not interact with 
the malicious e-mail. If you use any of Trend Micro's AV products, upgrade the 
application's scan engine to VSAPI version 7.510 or higher immediately. 
Exposure: 
In an alert released yesterday, ISS X-Force warned of a new buffer overflow 
flaw that affects most of Trend Micro's antivirus (AV) products. The flaw 
resembles the Symantec flaw X-Force reported on two weeks earlier. According to 
Trend Micro's advisory, the buffer overflow results from their scanning 
engine's inability to properly parse ARJ files having overly-long filenames. 
ARJ is a special compression format used to make files smaller for easy 
archival.

By sending an e-mail containing a specially-crafted, ARJ-compressed attachment, 
an attacker can exploit this buffer overflow to execute code on any computer 
running Trend Micro AV software. Since AV software scans incoming files 
automatically, it is feasible for the attack to succeed even if no one 
interacts with the malicious e-mail. Once the infected e-mail is received at a 
valid address on your network, the attacker could obtain full control of a 
victim's PC whether or not anyone opens the booby-trapped e-mail. 

This flaw presents a critical risk. Imagine if an attacker sent a 
specially-crafted attack e-mail to your entire organization. If you use Trend 
Micro's Gateway AV solutions, the attacker could gain control of your gateway 
AV server and all your clients in one sweeping stroke. 
Solution Path:
Upgrading to Trend Micro's scanning engine VSAPI 7.510 or higher fixes this 
problem. If you use any Trend Micro AV products, visit their Scan Engine Update 
page and download and install the appropriate update immediately.
For All WatchGuard Users:
Although some of WatchGuard's Fireboxes can mitigate this risk by helping you 
to block e-mailed ARJ files, we highly recommend you update your Trend Micro 
scan engine immediately in order to fully protect yourself from this 
vulnerability. Nonetheless, if you want to block ARJ files with your Firebox in 
the interim, see the details below. 
Suggestions for Firebox II / III / X owners 
With a Firebox II, III or X you can use the SMTP Proxy to block ARJ files 
temporarily until you apply Trend Micro's update. Keep in mind, this procedure 
blocks both malicious and legitimate ARJ files. You might want to reverse this 
procedure, allowing ARJ files once again, as soon as you install Trend Micro's 
new scanning engine.

If you have configured an SMTP Proxy
In the WatchGuard Policy Manager, double-click the SMTP Proxy icon. Click the 
Properties tab. Click the Incoming button. Click the Content Types tab. Make 
sure that the "Deny attachments based on these file name patterns" list 
includes *.arj. If you do not see *.arj in the list, click the Add button and 
add it.

If you have not configured an SMTP Proxy
In the WatchGuard Policy Manager, select Edit > Add Service. Expand the Proxies 
folder. Double-click SMTP. Click Add. Click OK. Then follow the steps above.
Suggestions for Firebox Vclass owners 
The default configuration of the SMTP-Incoming proxy action strips all files 
but: *.doc, *.txt, and *.xls so ARJ files shouldn't get past your proxy. 
However, you can use the procedure below to ensure the proxy strips *.arj 
attachments. 

Make or change a custom proxy action based on SMTP-Incoming to strip *.arj 
files. If you made a proxy action based on SMTP-Incoming, you can edit it so 
that it strips all of these attachments. In the Vcontroller software, click the 
Proxies button. Double-click your custom proxy action. On the Content Checking 
tab, change Category to Attachment Filename. Click the Add to Top or Insert 
After button. Only one option appears in the dialog box. Type ARJ_files as the 
rule name. Select Pattern Match. Next to Pattern Match, type *.arj. Select 
Strip as the Action. Apply the new Proxy Action to your SMTP rule to make sure 
that the Firebox strips ARJ files.
Status:
Trend Micro's scan engine VSAPI 7.510 fixes this issue. 
References:
Trend Micro's ARJ Buffer Overflow Alert 

http://www.trendmicro.com/vinfo/secadvisories/default6.asp?VName=Vulnerability+in+VSAPI+ARJ+parsing+could+allow+Remote+Code+executionISS
 

X-Force's ARJ Buffer Overflow Alert 

http://xforce.iss.net/xforce/alerts/id/189

This alert was researched and written by Corey Nachreiner

Other related posts:

  • » [THIN] ALERT: Trend Micro AV Ushers Hackers Right In