14 DAY TRIAL // Trend Micro urges all users of its anti-virus products to update and install security fixes as a potential serious security flaw has been discovered in 29 of its products.
The security bug - discovered by security researchers at ISS - involves flaws in the processing of ARJ archive files by an antivirus library that give rise to possible buffer overflow attacks. Should any of these breaches be exploited by hackers, they could gain unauthorised acces to networks and machines being protected by Trend Micro AntiVirus Library product.
Desktop, server and gateway versions of Trend's anti-virus scanners all need updating to version 7.510 of Trend's scan engine or higher because of the vulnerability. Several large vendors and ISP's use Trend Micro's AntiVirus Library in their products, which likewise need attention.
Earlier this month, ISS also warned users of the F-Secure anti-virus products to apply security patches following the discovery of potentially serious security vulnerability in 18 of its products. The security bug involved also flaws in the processing of ARJ archive files by an antivirus library that give rise to possible buffer overflow attacks.
The Trend Micro vulnerability exists in the ARJ archive file format parser, which is too flexible especially in the file name field in the local header. This file name is stored as a null-terminated string and limited only by the overall size of the local header (local header size is stored as a 16-bit value and is limited to 2,600 bytes only).
If the file name exceeds the maximum allocated size, the VSAPI scan engine still copies this file name into a 512-byte buffer, overwriting the succeeding data structure.
One of the fields in the said data structure is a pointer to another data stucture. The next instruction after the copying of the file name is an assignment instruction to a member of the structure that is referred to by the overwritten pointer. The said routine causes an illegal memory access.
Thus, it is possible to create a specially-crafted ARJ archive file that overwrites data after the allocated 512-byte buffer. This specially-crafted file could possibly execute an arbitrary code.