In association with heise online

25 August 2008, 13:02

Trend Micro session token insufficiently random

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Secunia, the security services provider, has issued a security advisory about a vulnerability in Trend Micro's OfficeScan 8.0 and Worry-Free Business Security 5.0 that makes it easier for attackers to take control of the web management of those products. According to Secunia, the web-based configuration interface uses a pseudo-random token to identify a logged-on manager, but its entropy is evidently based on the time at which the user logs in.

Knowing that, brute-force attackers could predict a valid password authentication token substantially more quickly and then use it to log in to the web interface. The report says that, besides changing settings, attackers could also execute their own arbitrary code.

Client Server Messaging Security for SMB 3.x and OfficeScan Corporate Edition 7.x are also affected. So far, Trend Micro has only provided updates for OfficeScan 8.0 and Worry-Free Business Security 5.0.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit