Trend Micro's anti-virus products vulnerable to privilege escalation
Security service provider iDefense has released a security advisory about a vulnerability in Trend Micro products for corporate and individual users. A driver installed by the anti-virus products contains a flaw which allows local users to execute arbitrary code at SYSTEM privilege level.
The Tmxpflt.sys driver provides access to the \\.\Tmfilter DOS device interface. However, access privileges allow write access for Everyone. A driver function called this way does not validate the length of a user-supplied parameter before copying the parameter to a fixed-size buffer. This can cause a buffer overflow allowing arbitrary code to be executed in the kernel context.
The flawed driver versions 8.320.1004 and 8.500.1002 are used, for example, in PC-Cillin Internet Security 2007, Client Server Messaging Security for SMB 3.6, Client Server Security for SMB 3.6, OfficeScan 7 and 8 and in ServerProtect for Microsoft Windows as well as Novell NetWare 5.58. To resolve this vulnerability and several software compatibility issues, Trend Micro plans to release Scan Engine 8.550-1001 on its ActiveUpdate servers on October 30th.
- Trend Micro Tmxpflt.sys IOCTL 0xa0284403 Buffer Overflow Vulnerability, iDefense security advisory
- Buffer overflow in Scan Engine Tmxpflt.sys 8.320.1004 and .500.1002, Trend Micro error report
- Issues resolved by Scan Engine version 8.550-1001, Trend Micro summary of scan engine alterations