Trend Micro: [Vulnerability Confirmation] Antivirus UPX Parsing Kernel Buffer Overflow Vulnerability

by Vitaly Popovich [Published on 8 Feb. 2007 / Last Updated on 8 Feb. 2007]

Solution ID:

1034289A recent system upgrade added a '1' or '2' to old solution IDs. You find these solutions by removing or retaining the extra '1' or '2'.

Product:

Scan Engine - 8.300, Scan Engine - 8.000

Operating System:

N/A

Published:

2/6/07 5:18 AM

Problem:

Trend Micro has become aware of a vulnerability in its Scan Engine, wherein a corrupted UPX file can cause a buffer overflow and lead to either of the following:

• Blue screen of death (BSOD)
• Execution of arbitrary code that allows an attacker to take control of the system

It affects all Trend Micro products and versions using the Scan Engine and Pattern File technology. A complete list of products is found in:

• http://www.trendmicro.com/download/engine.asp
• http://www.trendmicro.com/download/pattern.asp

Solution:

To address the vulnerability, update to virus pattern file 4.245.00 or higher. This provides the following fixes:

• Update of the UPX Parsing algorithm
• Generic detection for malformed UPX files

Enhancements will also be applied on the Scan Engine and the fix will be included in the upcoming release of version 8.5.
If you encounter issues downloading the pattern file from the ActiveUpdate server, refer to the following manual update solutions:
Client / Server / Messaging Security for SMB
Manually updating the Pattern File on the Security Server
Manually updating the Pattern File on the Client / Server Security Agent
Manually updating the Pattern File on the Messaging Security Agent
Client / Server Security for SMB
Manually updating the Pattern File on the Security Server
Manually updating the Pattern File on the Client / Server Security Agent
Control Manager
InterScan Messaging Security Suite
InterScan VirusWall
InterScan VirusWall for SMB (version 5.0)
InterScan Web Security Suite
OfficeScan
ScanMail for Lotus Domino
ScanMail for Microsoft Exchange
ServerProtect for Linux
ServerProtect for Microsoft Windows
ServerProtect for Novell NetWare

Solution ID: 1034289
A recent system upgrade added a '1' or '2' to old solution IDs. You find these solutions by removing or retaining the extra '1' or '2'.
Product: Scan Engine - 8.300, Scan Engine - 8.000
Operating System: N/A
Published: 2/6/07 5:18 AM

Problem:

Trend Micro has become aware of a vulnerability in its Scan Engine, wherein a corrupted UPX file can cause a buffer overflow and lead to either of the following:

• Blue screen of death (BSOD)

• Execution of arbitrary code that allows an attacker to take control of the system

It affects all Trend Micro products and versions using the Scan Engine and Pattern File technology. A complete list of products is found in:

Solution:

To address the vulnerability, update to virus pattern file 4.245.00 or higher. This provides the following fixes:

• Update of the UPX Parsing algorithm

• Generic detection for malformed UPX files

Enhancements will also be applied on the Scan Engine and the fix will be included in the upcoming release of version 8.5.

If you encounter issues downloading the pattern file from the ActiveUpdate server, refer to the following manual update solutions:

Client / Server / Messaging Security for SMB

Manually updating the Pattern File on the Security Server

Manually updating the Pattern File on the Client / Server Security Agent

Manually updating the Pattern File on the Messaging Security Agent

Client / Server Security for SMB

Manually updating the Pattern File on the Security Server

Manually updating the Pattern File on the Client / Server Security Agent

Control Manager

InterScan Messaging Security Suite

InterScan VirusWall

InterScan VirusWall for SMB (version 5.0)

InterScan Web Security Suite

OfficeScan

ScanMail for Lotus Domino

ScanMail for Microsoft Exchange

ServerProtect for Linux

ServerProtect for Microsoft Windows

ServerProtect for Novell NetWare

Trend Micro PC-cillin Internet Security 2005

Trend Micro PC-cillin Internet Security 2006

Trend Micro PC-cillin Internet Security 2007

If you suspect that you may have been affected by this vulnerability, contact your Technical Account Manager or Trend Micro Technical Support Services in your region.

This vulnerability was reported to Trend Micro by the iDefense Vulnerability Labs.

Add Review or Comment

Featured Links