The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

cybersecurity note 8683

Trend Micro: bypassing via RAR, CAB and ZIP

Synthesis of the vulnerability

An attacker can create a RAR, CAB or ZIP archive containing a virus which is not detected by Trend Micro.
Severity of this announce: 2/4.
Number of vulnerabilities in this bulletin: 3.
Creation date: 30/04/2009.
Références of this computer vulnerability: BID-34763, TZO-17-2009, VIGILANCE-VUL-8683.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Trend Micro products detect viruses contained in RAR, CAB and ZIP archives.

However, an attacker can create a slightly malformed archive, which can still be opened by Unrar/Unzip tools, but which cannot be opened by the antivirus.

Depending on Trend Micro product, these archives are handled in three ways:

OfficeScan and ServerProtect are vulnerable when Unrar/Unzip extracts the file on the desktop computer. These products are thus vulnerable when installed on a scan server. [severity:2/4]

InterScan Web Security Suite and InterScan Messaging Security quarantine the file by default. These products are vulnerable if the administrator changed the default configuration. [severity:2/4]

ScanMail does not indicate that the unscanned archive potentially contains a virus. This product is vulnerable in its default configuration. [severity:2/4]

An attacker can therefore create a RAR, CAB or ZIP archive containing a virus which is not detected by Trend Micro.
Full Vigil@nce bulletin... (Free trial)

This computer weakness announce impacts software or systems such as TrendMicro Internet Security, InterScan Messaging Security Suite, InterScan Web Security Suite, ScanMail, TrendMicro ServerProtect.

Our Vigil@nce team determined that the severity of this security alert is medium.

The trust level is of type confirmed by the editor, with an origin of document.

This bulletin is about 3 vulnerabilities.

An attacker with a expert ability can exploit this vulnerability.

Solutions for this threat

Trend Micro: workaround for RAR, CAB and ZIP.
A workaround is available for each product in the information source.
Here is a summary:
 - OfficeScan and ServerProtect : do not install on a scan server.
 - InterScan Web Security Suite and InterScan Messaging Security : unrecognized files have to be quarantined (by default).
 - ScanMail : unrecognized files have to be quarantined (not by default).
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides computer security patches. The Vigil@nce vulnerability database contains several thousand vulnerabilities. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications. Each administrator can customize the list of products for which he wants to receive vulnerability alerts.