X

Take three: Antivirus apps could spread infection

A flaw in Trend Micro's software lets attackers run a virus instead of stopping it, in the third such security hole found this month.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
2 min read
Internet Security Systems has found a flaw in Trend Micro's virus-scanning software--the third time this month that the security company has picked a hole in an antivirus product.

The vulnerability affects Trend Micro's Antivirus Library, a common set of code used by at least 29 Trend Micro products, according to separate advisories posted on Trend Micro's Web site on Wednesday and on ISS' site on Thursday. An attacker could create a program that exploits the security hole, causing the antivirus program to run a virus instead of blocking the malicious program, the companies said.

"Successful exploitation of this vulnerability could be used to gain unauthorized access to networks and machines being protected by Trend Micro Antivirus Library products," ISS said in its advisory.

The flaw is similar to those found in antivirus software from Symantec and F-Secure. Because it's a library flaw, it adds up to a broad vulnerability in Trend Micro products that could be exploited to automatically run a malicious program. The flaw is caused by a memory error known as a heap overflow.

It affects not only Trend Micro applications on Windows systems, but also the company's software running on Linux, Solaris and other Unix-like operating systems.

"We looked at the issue, we verified it and found it to be true," said Joe Hartmann, North American director of antivirus research for Trend Micro. "We created a solution to it in a couple of days and...alerted our customers about the problem."

Among the products that are affected by the problem are various versions of Trend Micro InterScan, Trend Micro ScanMail and Trend Micro ServerProtect.

Trend Micro's advisory recommends that customers update their antivirus software to version 7.510, which fixes the problem.

ISS dealt with a flaw in its own security products nearly a year ago. The subsequent Witty worm exploited the security hole to spread to a modest number of computers on the Internet. A representative of ISS could not immediately be reached for comment.