OT:Trend Micro AntiVirus Library Heap Overflow [please read if you use Trend Micro]

Discussion in 'Windows Small Business Server' started by Mark McDonald, Feb 26, 2005.

  1. http://www.trendmicro.com/vinfo/sec...ARJ+parsing+could+allow+Remote+Code+execution


    This vulnerability exists in the ARJ archive file format parser.

    The ARJ archive file format is too flexible especially in the file name
    field in the local header. This file name is stored as a null-terminated
    string and limited only by the overall size of the local header (local
    header size is stored as a 16-bit value and is limited to 2,600 bytes only).

    If the file name exceeds the maximum allocated size, the VSAPI scan engine
    still copies this file name into a 512-byte buffer, overwriting the
    succeeding data structure. One of the fields in the said data structure is a
    pointer to another data stucture. The next instruction after the copying of
    the file name is an assignment instruction to a member of the structure that
    is referred to by the overwritten pointer. The said routine causes an
    illegal memory access.

    Thus, it is possible to create a specially-crafted ARJ archive file that
    overwrites data after the allocated 512-byte buffer. This specially-crafted
    file could possibly execute an arbitrary code.

    The ISS advisory can be seen here:http://xforce.iss.net/xforce/alerts/id/189
    Mark McDonald, Feb 26, 2005
    1. Advertisements

  2. Follow these steps to manually update your ScanMail scan engine:

    1. Open your Web browser and type the following URL address:


    2. Download the scan engine for your program version of ScanMail.

    3. Stop the ScanMail Real-time Scanning services (Select Start >

    Programs > Administrative Tools > Services > ScanMail_RealTimeScan >

    Stop) and make sure that no scheduled scans are running.

    4. Double-click the downloaded file and unzip it.

    5. Copy all files to the ...\Trend\Smex directory, which overwrites

    the existing files.

    6. Restart the ScanMail Real-time Scanning services (follow the

    steps in number 3 above, but substitute Start for Stop).

    Excerpted from ScanMail for Exchange on-line help.
    Les Connor [SBS Community Member - SBS MVP], Feb 26, 2005
    1. Advertisements

  3. and this will get pushed down on the 3rd of March.
    Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP], Feb 26, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.