ðòïåëôù 


  áòèé÷ 


Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  óôáôøé 


  ðåòóïîáìøîïå 


  ðòïçòáííù 



ðéûéôå
ðéóøíá














     áòèé÷ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: iDefense Security Advisory 03.14.07: Trend Micro Antivirus UPX ParsingKernel Divide by Zero Vulnerability



> -----Original Message-----
> From: 
> idlabs-advisories-bounces+vladimir.kazennov=billing.ru@idefens
> e.com 
> [mailto:idlabs-advisories-bounces+vladimir.kazennov=billing.ru
> @idefense.com] On Behalf Of iDefense Labs Security Advisories
> Sent: Wednesday, March 14, 2007 7:55 PM
> To: iDefense Labs Security Advisories
> Subject: iDefense Security Advisory 03.14.07: Trend Micro 
> Antivirus UPX ParsingKernel Divide by Zero Vulnerability
> 
> Trend Micro Antivirus UPX Parsing Kernel Divide by Zero Vulnerability
> 
> iDefense Security Advisory 03.14.07
> http://labs.idefense.com/intelligence/vulnerabilities/
> Mar 14, 2007
> 
> I. BACKGROUND
> 
> Trend Micro AntiVirus is an virus scanning engine included in 
> a wide array
> of products by Trend Micro. Several examples of vulnerable products
> include PC-cillin and Internet Security Suite.
> 
> http://www.trendmicro.com/en/home/us/home.htm
> 
> II. DESCRIPTION
> 
> Remote exploitation of a divide by zero error in Trend Micro 
> AntiVirus may
> allow attackers to cause a denial of service.
> 
> The vulnerability exists in the kernel driver, VsapiNT.sys. 
> This driver is
> responsible for scanning various file formats for malicious 
> content. The
> code that parses UPX files takes an integer value from an attacker
> supplied file and uses it as a divisor. This results in a 
> divide by zero
> error in kernel mode. This causes a kernel fault resulting in a blue
> screen of death (BSOD).
> 
> III. ANALYSIS
> 
> Exploitation of this vulnerability results not only in a DOS 
> of the Trend
> Micro process, but in an operating system crash.
> 
> There are several different attack vectors depending on which 
> product is
> being targeted. Someone targeting a home user would need to convince a
> user to download a file from a website or an attachment from an email
> message. The user would then need to manually scan this file 
> or save it
> and have the Trend Micro auto scan process scan it at some 
> later time. If
> instead a mail gateway is being targeted this vulnerability can be
> exploited automatically by sending a malicious attachment through a
> gateway that uses Trend Micro to scan content.
> 
> IV. DETECTION
> 
> iDefense has confirmed the existence of this vulnerability in 
> Trend Micro
> AntiVirus version 14.10.1041, engine version 8.320.1003. 
> Previous versions
> may also be affected.
> 
> V. WORKAROUND
> 
> iDefense is currently unaware of any workarounds for this issue.
> 
> VI. VENDOR RESPONSE
> 
> "To address this vulnerability, Trend Micro recommends 
> customers to update
> to Virus Pattern File 4.335.00 or higher."
> 
> For more information, consult the Trend Micro Knowledge Base 
> article at
> the link shown below.
> 
> http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034587
> 
> VII. CVE INFORMATION
> 
> A Mitre Corp. Common Vulnerabilities and Exposures (CVE) 
> number has not
> been assigned yet.
> 
> VIII. DISCLOSURE TIMELINE
> 
> 02/27/2007  Initial vendor notification
> 02/27/2007  Initial vendor response
> 03/14/2007  Coordinated public disclosure
> 
> IX. CREDIT
> 
> The discoverer of this vulnerability wishes to remain anonymous.
> 
> Get paid for vulnerability research
> http://labs.idefense.com/methodology/vulnerability/vcp.php
> 
> Free tools, research and upcoming events
> http://labs.idefense.com/
> 
> X. LEGAL NOTICES
> 
> Copyright (c) 2007 iDefense, Inc.
> 
> Permission is granted for the redistribution of this alert 
> electronically.
> It may not be edited in any way without the express written consent of
> iDefense. If you wish to reprint the whole or any part of 
> this alert in
> any other medium other than electronically, please e-mail
> customerservice@xxxxxxxxxxxx for permission.
> 
> Disclaimer: The information in the advisory is believed to be 
> accurate at
> the time of publishing based on currently available 
> information. Use of
> the information constitutes acceptance for use in an AS IS condition.
> There are no warranties with regard to this information. Neither the
> author nor the publisher accepts any liability for any 
> direct, indirect,
> or consequential loss or damage arising from use of, or 
> reliance on, this
> information.
> _______________________________________________
> To unsubscribe, go here:
> http://www.idefense.com/mailman/listinfo/idlabs-advisories
> 



 




Copyright © Lexa Software, 1996-2009.