Trend Micro ActiveX Multiple Overflows

[Cesar <cesarc56 () yahoo com>]

Systems affected: HouseCall (Trend Micros Online virus
scanning service) and Damage Cleanup Server  version
1.0 


Some history:

On 06/22/03 in the "Symantec ActiveX control buffer
overflow" advisory i put the next at the bottom of it:

---------------------------
Important note:
I recomend antivirus companies with online virus scan
service to check your ActiveX controls if you are
really interested in protect users, especially Trend
Micro fix those HouseCall ActiveX multiple
overflows!!!.
---------------------------

On 06/30/03 i received i mail from Trend Micro
acknowledging the issue, saying that they have fixed
the bug and they will put online the fixed ActiveX in
the next days. I responded the mail telling that they
should release a public advisory and other things. I
did't get a response.

On 07/01/03 or 07/02/03 (i don't know exactly the
date)
Trend Micro updated online the ActiveX and issued a
knowledge article:
http://kb.trendmicro.com/solutions/solutionDetail.asp?solutionID=15274

But Trend Micro did't release a public advisory
letting millons of users exposed to attack.

After this i went to Trend Micro site and updated the
ActiveX going to the Online virus scanning service,
then i ran some tests and what a sorprise!, Trend
Micro didn't fixed all the overflows, there was still
one exploitable overflow and many DOS. I sent them two
emails telling them that they haven't fixed the
overflows and that they must fixed them and release a
public advisory so their customers could be protected
against explotation of the bugs. I did't get any
response.

On 07/07/03 they updated their site with a new fixed
ActiveX.
Again Trend Micro did't release a public advisory,
letting millons of users exposed to attack.
This time it seems that there are not exploitable
overflows but all the overflows that causes DOS
(crashes IE) are still present.


To reproduce the overflows: 

Go to Tren Micro Online Scan, save the page that loads
the ActiveX control, then edit the html source and
choose any initialization <param > tag with string
values and set a long string (600K chars will be ok),
save and open with IE, IE will crash. Who knows maybe
you found one that is exploitable.


Workaround:

Go to %SystemRoot%\Downloaded Program Files\
search for "HouseCall Control", select it, right click
and remove.
Also choose another antivirus company:).

Conclusion:

Here we can see an irresponsable company "Trend Micro"
that doesn't care anything about their
customers/users. Trend Micro is supposed to protect
users but Trend Micro is threaten users. THIS IS
REALLY A SHAME. This company have products certified
by US government???


JOIN NOW AND GET A NEW Microsoft JET engine
UNDISCLOSED BUG AFFECTING SQL SERVER!!!
NEW SECURITY LIST!!!: For people interested in SQL
Server security, vulnerabilities, SQL injection, etc.
Join at:
sqlserversecurity-subscribe () yahoogroups com
http://groups.yahoo.com/group/sqlserversecurity/

Cesar Cerrudo.






__________________________________
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html