The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Trend Micro: bypassing via RAR, CAB and ZIP

Synthesis of the vulnerability 

An attacker can create a RAR, CAB or ZIP archive containing a virus which is not detected by Trend Micro.
Vulnerable software: TrendMicro Internet Security, InterScan Messaging Security Suite, InterScan Web Security Suite, ScanMail, TrendMicro ServerProtect.
Severity of this announce: 2/4.
Number of vulnerabilities in this bulletin: 3.
Creation date: 30/04/2009.
Références of this computer vulnerability: BID-34763, TZO-17-2009, VIGILANCE-VUL-8683.

Description of the vulnerability 

Trend Micro products detect viruses contained in RAR, CAB and ZIP archives.

However, an attacker can create a slightly malformed archive, which can still be opened by Unrar/Unzip tools, but which cannot be opened by the antivirus.

Depending on Trend Micro product, these archives are handled in three ways:

OfficeScan and ServerProtect are vulnerable when Unrar/Unzip extracts the file on the desktop computer. These products are thus vulnerable when installed on a scan server. [severity:2/4]

InterScan Web Security Suite and InterScan Messaging Security quarantine the file by default. These products are vulnerable if the administrator changed the default configuration. [severity:2/4]

ScanMail does not indicate that the unscanned archive potentially contains a virus. This product is vulnerable in its default configuration. [severity:2/4]

An attacker can therefore create a RAR, CAB or ZIP archive containing a virus which is not detected by Trend Micro.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer weakness announce impacts software or systems such as TrendMicro Internet Security, InterScan Messaging Security Suite, InterScan Web Security Suite, ScanMail, TrendMicro ServerProtect.

Our Vigil@nce team determined that the severity of this security alert is medium.

The trust level is of type confirmed by the editor, with an origin of document.

This bulletin is about 3 vulnerabilities.

An attacker with a expert ability can exploit this vulnerability.

Solutions for this threat 

Trend Micro: workaround for RAR, CAB and ZIP.
A workaround is available for each product in the information source.
Here is a summary:
 - OfficeScan and ServerProtect : do not install on a scan server.
 - InterScan Web Security Suite and InterScan Messaging Security : unrecognized files have to be quarantined (by default).
 - ScanMail : unrecognized files have to be quarantined (not by default).
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides computer security patches. The Vigil@nce vulnerability database contains several thousand vulnerabilities.