The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Trend Micro Internet Security

vulnerability announce 22992

Trend Micro Internet Security: privilege escalation via ioctl

Synthesis of the vulnerability

An attacker can use an ioctl call to Trend Micro Internet Security, in order to write to the kernel memory or trigger a denial of service.
Impacted products: TrendMicro Internet Security.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: document.
Creation date: 19/06/2017.
Identifiers: 1117509, VIGILANCE-VUL-22992, ZDI-17-395, ZDI-17-396.

Description of the vulnerability

The Trend Micro Internet Security includes a kernel driver.

However, the ioctl system call implementation does not rightly check its arguments.

An attacker can use an ioctl call to Trend Micro Internet Security, in order to write to the kernel memory or trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2017-5565 CVE-2017-5566 CVE-2017-5567

Antivirus: privilege escalation via Microsoft Application Verifier

Synthesis of the vulnerability

An attacker can bypass restrictions via Microsoft Application Verifier of Antivirus, in order to escalate his privileges.
Impacted products: Avast AV, NOD32 Antivirus, F-Secure AV, AVG AntiVirus, McAfee MOVE AntiVirus, VirusScan, Norton Antivirus, Norton Internet Security, Panda AV, Panda Internet Security, TrendMicro Internet Security, OfficeScan.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: user shell.
Number of vulnerabilities in this bulletin: 5.
Creation date: 22/03/2017.
Identifiers: 1116957, CVE-2017-5565, CVE-2017-5566, CVE-2017-5567, CVE-2017-6186, CVE-2017-6417, VIGILANCE-VUL-22211.

Description of the vulnerability

An attacker can bypass restrictions via Microsoft Application Verifier of Antivirus, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability 20800

Trend Micro Internet Security: NULL pointer dereference via tmnciesc

Synthesis of the vulnerability

An attacker can force a NULL pointer to be dereferenced via tmnciesc of Trend Micro Internet Security, in order to trigger a denial of service.
Impacted products: TrendMicro Internet Security.
Severity: 1/4.
Consequences: denial of service on service.
Provenance: user shell.
Creation date: 07/10/2016.
Identifiers: 1115282, 2016-0125, VIGILANCE-VUL-20800, ZDI-16-529, ZDI-16-530.

Description of the vulnerability

The Trend Micro Internet Security product offers a web service.

However, it does not check if a pointer is NULL, before using it.

An attacker can therefore force a NULL pointer to be dereferenced via tmnciesc of Trend Micro Internet Security, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2014-9641

Trend Micro AntiVirus: privilege escalation via tmeext.sys

Synthesis of the vulnerability

An attacker can call an ioctl of tmeext.sys installed by Trend Micro, in order to escalate his privileges.
Impacted products: TrendMicro Internet Security, TrendMicro Titanium.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: user shell.
Creation date: 06/02/2015.
Identifiers: 1106233, CVE-2014-9641, VIGILANCE-VUL-16127.

Description of the vulnerability

The Trend Micro AntiVirus product installs the tmeext.sys driver.

However, the ioctl 0x00222400 can be used by a local user to escalate his privileges.

An attacker can therefore call an ioctl of tmeext.sys installed by Trend Micro, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2010-3189

Trend Micro Internet Security: code execution via extSetOwner

Synthesis of the vulnerability

An attacker can invite the victim to browse a web page containing the UfPBCtrl.dll ActiveX of Trend Micro Internet Security, in order to execute code on his computer.
Impacted products: TrendMicro Internet Security.
Severity: 2/4.
Consequences: user access/rights.
Provenance: document.
Creation date: 04/10/2010.
Identifiers: CVE-2010-3189, VIGILANCE-VUL-10001, ZDI-10-165.

Description of the vulnerability

The Trend Micro Internet Security Pro 2010 product installs the UfPBCtrl.dll ActiveX on user's computer.

The extSetOwner() method of this ActiveX uses the address of a memory area to change an object. However, this ActiveX does not check the validity of this address.

An attacker can therefore invite the victim to browse a web page containing the UfPBCtrl.dll ActiveX of Trend Micro Internet Security, in order to execute code on his computer.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin 8683

Trend Micro: bypassing via RAR, CAB and ZIP

Synthesis of the vulnerability

An attacker can create a RAR, CAB or ZIP archive containing a virus which is not detected by Trend Micro.
Impacted products: TrendMicro Internet Security, InterScan Messaging Security Suite, InterScan Web Security Suite, ScanMail, TrendMicro ServerProtect.
Severity: 2/4.
Consequences: data flow.
Provenance: document.
Number of vulnerabilities in this bulletin: 3.
Creation date: 30/04/2009.
Identifiers: BID-34763, TZO-17-2009, VIGILANCE-VUL-8683.

Description of the vulnerability

Trend Micro products detect viruses contained in RAR, CAB and ZIP archives.

However, an attacker can create a slightly malformed archive, which can still be opened by Unrar/Unzip tools, but which cannot be opened by the antivirus.

Depending on Trend Micro product, these archives are handled in three ways:

OfficeScan and ServerProtect are vulnerable when Unrar/Unzip extracts the file on the desktop computer. These products are thus vulnerable when installed on a scan server. [severity:2/4]

InterScan Web Security Suite and InterScan Messaging Security quarantine the file by default. These products are vulnerable if the administrator changed the default configuration. [severity:2/4]

ScanMail does not indicate that the unscanned archive potentially contains a virus. This product is vulnerable in its default configuration. [severity:2/4]

An attacker can therefore create a RAR, CAB or ZIP archive containing a virus which is not detected by Trend Micro.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2009-0686

Trend Micro IS: privilege elevation via tmactmon.sys

Synthesis of the vulnerability

A local attacker can use METHOD_NEITHER to elevate his privileges via Trend Micro Internet Security.
Impacted products: TrendMicro Internet Security.
Severity: 2/4.
Consequences: administrator access/rights.
Provenance: user shell.
Creation date: 31/03/2009.
Identifiers: CVE-2009-0686, Positive Technologies SA 2009-09, PT-2009-09, VIGILANCE-VUL-8578.

Description of the vulnerability

The tmactmon.sys (TrendMicro Activity Monitor) driver is installed by Trend Micro Internet Security, and is reachable by all users via \Device\tmactmon.

The NtDeviceIoControlFile() function is used to attach to a driver. Its IoControlCode parameter indicates the input/output mode:
 - METHOD_BUFFERED, METHOD_IN_DIRECT, METHOD_OUT_DIRECT : uses an IRP buffer
 - METHOD_NEITHER : directly uses virtual memory addresses
When the METHOD_NEITHER mode is used, the driver has to check memory addresses.

However, tmactmon.sys does not check addresses. An attacker can therefore use as input a malicious buffer, and as output a kernel memory address. His malicious data are thus written to the privileged kernel address by the driver.

A local attacker can therefore use METHOD_NEITHER to elevate his privileges via Trend Micro Internet Security.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2008-3864 CVE-2008-3865

Trend Micro IS: vulnerabilities of TmPfw.exe

Synthesis of the vulnerability

An attacker can use two vulnerabilities of the firewall service of Trend Micro Internet Security in order to create a denial of service or to execute code.
Impacted products: TrendMicro Internet Security.
Severity: 3/4.
Consequences: administrator access/rights, user access/rights, denial of service on service.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 20/01/2009.
Identifiers: BID-33358, CERTA-2009-AVI-026, CVE-2008-3864, CVE-2008-3865, VIGILANCE-VUL-8405.

Description of the vulnerability

The firewall service of Trend Micro Internet Security (TmPfw.exe) listens on port 40000/tcp. The ApiThread() function does not correctly analyzes received packets, which creates two vulnerabilities.

A packet containing a small size creates an overflow, leading to code execution with SYSTEM privileges. [severity:3/4; CVE-2008-3865]

A packet containing a large size creates a denial of service. [severity:2/4; CERTA-2009-AVI-026, CVE-2008-3864]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2007-4277

Trend Micro AntiVirus scan engine: buffer overflow in Tmxpflt.sys

Synthesis of the vulnerability

A local attacker can run code on the system by exploiting a buffer overflow of Trend Micro AntiVirus scan engine.
Impacted products: TrendMicro Internet Security, InterScan Messaging Security Suite, InterScan Web Security Suite, ScanMail, TrendMicro ServerProtect.
Severity: 2/4.
Consequences: administrator access/rights.
Provenance: user shell.
Creation date: 26/10/2007.
Identifiers: 1036190, CERTA-2007-AVI-456, CVE-2007-4277, VIGILANCE-VUL-7285.

Description of the vulnerability

Trend Micro products use a virus detection system named Trend Micro AntiVirus scan engine. This engine use filter defined by the Tmfilter.sys module under Windows.

Permissions on this module give writing rights for all users, and no control on data passed in parameter in the IOCTL 0xa0284403 are done. A local attacker can thus exploit this module in order to create a buffer overflow in Trend Micro AntiVirus scan engine.

A local attacker can thus run code on the system with SYSTEM rights on the machine.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2007-3873

Trend Micro PC-cillin: buffer overflow of VST

Synthesis of the vulnerability

A local attacker can exploit an overflow in Trend Micro PC-cillin in order to execute code with system privileges.
Impacted products: TrendMicro Internet Security.
Severity: 2/4.
Consequences: administrator access/rights.
Provenance: user shell.
Creation date: 22/08/2007.
Identifiers: B1028, BID-25392, CVE-2007-3873, EN-1035845, VIGILANCE-VUL-7114.

Description of the vulnerability

The vstlib32.dll library implements the VST (Venus Spy Trap) feature of SSAPI, which detects spywares.

However, this library does not correctly check information of ReadDirectoryChangesW() function. Indeed, if a local attacker created a filename longer than max_path, an overflow occurs.

A local attacker can therefore execute code with system privileges.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Trend Micro Internet Security: