08 February 2007, 11:19

Security leaks in virus scanners

Security service provider iDefense has found two vulnerabilities in Trend Micro's antivirus products that allow attackers to inject arbitrary program code and execute it with system rights. In addition, Alwil's Avast Server Edition virus scanner does not always ask for a password if one is set.

Trend Micro's virus scanner trips up when processing manipulated UPX-compressed files. The results can be a memory violation that causes the scanner to crash; however, iDefense speculates that it might also be possible to inject code and execute it with the rights of the service. Attackers would then be able to exploit the hole by means of specially prepared e-mails, for instance.

iDefense found a second security hole in the TmComm.sys file. It is part of the root kit detection module and provides a device interface. Unfortunately, the group "everyone" has write access to the interface. Locally registered users then have access to input and output functions (IOCTLs) normally reserved for privileged users. In addition, the IOCTL routines do not check the addresses provided by the application software. As a result, local users can override arbitrary memory areas or execute their own programming code with system rights.

Trend Micro is providing updates to remedy the flaws in the versions affected, which include everything from almost all consumer solutions to server products. Should your automatic update function be disabled for any reason, make sure that your administrator installs these updates as quickly as possible. Alwil is also providing an updated version of its Server Edition, which now always asks for the configured password.