Contact Us Today! (215) 853-2266

Bardissi Enterprises Blog

Bardissi Enterprises has been serving the Hatfield area since 2000, providing IT Support such as technical helpdesk support, computer support, and consulting to small and medium-sized businesses.
Font size: +
Print

LiveSecurity | Urgent: Trend Micro AV Flaw Admits Attackers

Uncategorized
0 Comments

UPX Compressed Files Can Infect Trend Micro AntiVirus

Severity: High

8 February, 2007

Summary:

Yesterday, iDefense released an alert describing a serious buffer overflow vulnerability affecting Trend Micro’s antivirus (AV) scan engine. By sending an e-mail containing a specially crafted attachment, an attacker could exploit this flaw to execute code and gain total control of any machine running Trend Micro AV. Since AV software scans incoming files automatically, the attack could succeed even if the targeted victim does not interact with the malicious e-mail. If you use any of Trend Micro’s AV products, upgrade the application’s Virus Pattern File to 4.245.00 or higher.

Exposure:

In order to work properly, antivirus scanning products have to know how to interpret many different computer file formats and compression techniques. Ultimate Packer for eXecutables (UPX) is one such compression technique, commonly used to reduce the amount of storage space an executable file takes up.

In an alert released yesterday, iDefense warned of a new buffer overflow flaw in Trend Micro’s AV scan engine. The buffer overflow results from their scanning engine’s inability to properly parse malformed UPX compressed executables.

By sending an email containing a specially crafted, UPX-compressed attachment, an attacker can exploit this buffer overflow to execute code on any computer running Trend Micro AV software. Since AV software scans incoming files automatically, this sort of attack would succeed even if no one interacts with the malicious email. Once the infected email is received at a valid address on your network, the attacker could obtain full control of a victim’s PC whether or not anyone opens the booby-trapped email. Furthermore, many of Trend Micro’s AV products also scan files that pass via HTTP or FTP. This means an attacker might also exploit this flaw by hosting his malicious UPX compressed file on a Web or FTP site.

This flaw presents a critical risk to Trend Micro AV administrators. Imagine if an attacker sent a specially-crafted attack email to your entire organization. If you use Trend Micro’s Gateway AV solutions, the attacker could gain control of your gateway AV server and all your clients in one sweeping stroke.

As an aside, iDefense also found a second, lower risk vulnerability in Trend Micro’s scan engine. According to their alert, the scan engine also suffers from a local elevation of privilege vulnerability. However, in order to exploit this second flaw, an attacker has to locally log onto your computer. This flaw presents much less risk than the flaw headlined above.

Solution Path:

Upgrading to Trend Micro’s Virus Pattern File 4.245.00 fixes the severe flaw, while upgrading its Anti-Rootkit Common module to version 1.600-1052 fixes the lesser vulnerability. If you use any Trend Micro AV products, check out the “Solutions” section of the Trend Micro advisories listed below to find the latest update for your Trend Micro software:

UPX Compressed Files Can Infect Trend Micro AntiVirus

Severity: High

8 February, 2007

Summary:

Yesterday, iDefense released an alert describing a serious buffer overflow vulnerability affecting Trend Micro’s antivirus (AV) scan engine. By sending an e-mail containing a specially crafted attachment, an attacker could exploit this flaw to execute code and gain total control of any machine running Trend Micro AV. Since AV software scans incoming files automatically, the attack could succeed even if the targeted victim does not interact with the malicious e-mail. If you use any of Trend Micro’s AV products, upgrade the application’s Virus Pattern File to 4.245.00 or higher.

Exposure:

In order to work properly, antivirus scanning products have to know how to interpret many different computer file formats and compression techniques. Ultimate Packer for eXecutables (UPX) is one such compression technique, commonly used to reduce the amount of storage space an executable file takes up.

In an alert released yesterday, iDefense warned of a new buffer overflow flaw in Trend Micro’s AV scan engine. The buffer overflow results from their scanning engine’s inability to properly parse malformed UPX compressed executables.

By sending an email containing a specially crafted, UPX-compressed attachment, an attacker can exploit this buffer overflow to execute code on any computer running Trend Micro AV software. Since AV software scans incoming files automatically, this sort of attack would succeed even if no one interacts with the malicious email. Once the infected email is received at a valid address on your network, the attacker could obtain full control of a victim’s PC whether or not anyone opens the booby-trapped email. Furthermore, many of Trend Micro’s AV products also scan files that pass via HTTP or FTP. This means an attacker might also exploit this flaw by hosting his malicious UPX compressed file on a Web or FTP site.

This flaw presents a critical risk to Trend Micro AV administrators. Imagine if an attacker sent a specially-crafted attack email to your entire organization. If you use Trend Micro’s Gateway AV solutions, the attacker could gain control of your gateway AV server and all your clients in one sweeping stroke.

As an aside, iDefense also found a second, lower risk vulnerability in Trend Micro’s scan engine. According to their alert, the scan engine also suffers from a local elevation of privilege vulnerability. However, in order to exploit this second flaw, an attacker has to locally log onto your computer. This flaw presents much less risk than the flaw headlined above.

Solution Path:

Upgrading to Trend Micro’s Virus Pattern File 4.245.00 fixes the severe flaw, while upgrading its Anti-Rootkit Common module to version 1.600-1052 fixes the lesser vulnerability. If you use any Trend Micro AV products, check out the “Solutions” section of the Trend Micro advisories listed below to find the latest update for your Trend Micro software:

For All WatchGuard Users:

Although some of WatchGuard’s Fireboxes can mitigate this risk by helping you block emailed executable files, we highly recommend you update your Trend Micro scan engine immediately in order to fully protect yourself from this vulnerability.

Status:

Trend Micro’s Virus Pattern File 4.245.00 and Anti-Rootkit Common Module version 1.600-1052 fix these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP.


Tweet
 

Comments

No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Guest
Thursday, 18 December 2025
If you'd like to register, please fill in the username, password and name fields.

Captcha Image

Blog Categories

Mobile? Grab this Article!

QR-Code dieser Seite

Blog Archive

2023
2022
2021
2020
2019
2018
2017
2016
2015
2014
2013
2012
2011
2010
2009
2008
2007
2006

Recent Comments

Tip of the Week: Which Headphones are Right for Your Needs?
23 April 2018
I will recommend Plantronics Backbeat Pro 2 SE Noise cancelling Headset with it's Great features.
Gamification: Make Business Fun for Everyone
27 January 2017
The world is based on the games. There are many types of games as per the aussie essay writing servi...
Let's Talk Tablets
12 January 2017
The concept of tablet is far better than that of PC because you can bring them with you everywhere a...
Tip of the Week: Tweak Your Workday in These 4 Ways and See Major Results
12 January 2017
The only thing will I will say regarding this blog is that it is very helpful at least for me. As I ...
WatchGuard Releases Version 10.2.7 for WSM, Edge, Fireware, and Fireware Pro
23 December 2016
I really needed to know about the fireware but i was confused that where can i find information abou...