Full Disclosure mailing list archives
Trend Micro ActiveX Multiple Overflows
From: Cesar <cesarc56 () yahoo com>
Date: Fri, 11 Jul 2003 19:05:34 -0700 (PDT)
Systems affected: HouseCall (Trend Micros Online virus scanning service) and Damage Cleanup Server version 1.0 Some history: On 06/22/03 in the "Symantec ActiveX control buffer overflow" advisory i put the next at the bottom of it: --------------------------- Important note: I recomend antivirus companies with online virus scan service to check your ActiveX controls if you are really interested in protect users, especially Trend Micro fix those HouseCall ActiveX multiple overflows!!!. --------------------------- On 06/30/03 i received i mail from Trend Micro acknowledging the issue, saying that they have fixed the bug and they will put online the fixed ActiveX in the next days. I responded the mail telling that they should release a public advisory and other things. I did't get a response. On 07/01/03 or 07/02/03 (i don't know exactly the date) Trend Micro updated online the ActiveX and issued a knowledge article: http://kb.trendmicro.com/solutions/solutionDetail.asp?solutionID=15274 But Trend Micro did't release a public advisory letting millons of users exposed to attack. After this i went to Trend Micro site and updated the ActiveX going to the Online virus scanning service, then i ran some tests and what a sorprise!, Trend Micro didn't fixed all the overflows, there was still one exploitable overflow and many DOS. I sent them two emails telling them that they haven't fixed the overflows and that they must fixed them and release a public advisory so their customers could be protected against explotation of the bugs. I did't get any response. On 07/07/03 they updated their site with a new fixed ActiveX. Again Trend Micro did't release a public advisory, letting millons of users exposed to attack. This time it seems that there are not exploitable overflows but all the overflows that causes DOS (crashes IE) are still present. To reproduce the overflows: Go to Tren Micro Online Scan, save the page that loads the ActiveX control, then edit the html source and choose any initialization <param > tag with string values and set a long string (600K chars will be ok), save and open with IE, IE will crash. Who knows maybe you found one that is exploitable. Workaround: Go to %SystemRoot%\Downloaded Program Files\ search for "HouseCall Control", select it, right click and remove. Also choose another antivirus company:). Conclusion: Here we can see an irresponsable company "Trend Micro" that doesn't care anything about their customers/users. Trend Micro is supposed to protect users but Trend Micro is threaten users. THIS IS REALLY A SHAME. This company have products certified by US government??? JOIN NOW AND GET A NEW Microsoft JET engine UNDISCLOSED BUG AFFECTING SQL SERVER!!! NEW SECURITY LIST!!!: For people interested in SQL Server security, vulnerabilities, SQL injection, etc. Join at: sqlserversecurity-subscribe () yahoogroups com http://groups.yahoo.com/group/sqlserversecurity/ Cesar Cerrudo. __________________________________ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Trend Micro ActiveX Multiple Overflows Cesar (Jul 11)