=====================================================================
                                  CERT-Renater

                       Note d'Information No. 2005/VULN337
_____________________________________________________________________

DATE                      : 26/05/2005

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running ZoneAlarm Anti-virus,
                                  ZoneAlarm Security Suite.

======================================================================

Zone Labs Security Alert
Zone Labs Anti-virus Engine OLE Processing Issue

Date Published          May 24, 2005
Date Last Revised       May 24, 2005

Severity                High


Overview
========

A security vulnerability existed in the anti-virus engine of specific
versions of ZoneAlarm Anti-Virus and ZoneAlarm Security Suite
(ZoneAlarm and ZoneAlarm Pro are not affected.)

The vulnerability was caused due to an integer overflow in the Vet
anti-virus engine (VetE.dll) when analyzing OLE streams. This can be
exploited to cause a heap-based buffer overflow via a specially
crafted Microsoft Office document.

Zone Labs has released an updated anti-virus engine for affected
products which is automatically applied during the next anti-virus
update, which typically occurs daily.  Customers may also manually
update their anti-virus service for immediate protection.

Zone Labs remains committed to providing our customers with advanced
Internet security technologies for PC protection.


Impact
======

If successfully exploited, a skilled attacker could cause the
firewall to stop processing traffic, execute arbitrary code, or
elevate malicious code's privileges.

Zone Labs recommends affected users update their anti-virus engine
and definitions to the current versions which address the issue.

Affected Products
     * ZoneAlarm Anti-virus and ZoneAlarm Security Suite

Unaffected Products
     * ZoneAlarm and ZoneAlarm Pro
     * Check Point Integrity clients and Integrity Server
     * Integrity Clientless Security products


Description
===========

ZoneAlarm Anti-Virus and ZoneAlarm Security Suite use the Vet engine
from Computer Associates for anti-virus detection.  Due to an
integer wrap issue in the code associated with OLE processing, a
heap overflow may occur which could potentially allow a skilled
attacker
to cause the firewall to stop processing traffic or execute arbitrary
code.


Recommended Actions
===================

ZoneAlarm Anti-virus and ZoneAlarm Security Suite users should
upgrade the anti-virus engine to version 11.9.1 or later.

To update your ZoneAlarm Anti-virus or Security Suite product:

     1. Select Antivirus

     2. In the Status area, choose the Update Now option

     3. Select Overview | Product Info and verify that the Antivirus
        Vet engine version is 11.9.1 or higher


Related Resources
=================

Zone Labs Security Services: http://www.zonelabs.com/security


Acknowledgments
===============

Zone Labs would like to thank Alex Wheeler for reporting this issue
to Zone Labs.


Contact
=======

Zone Labs customers who are concerned about this vulnerabilities or
have additional technical questions may reach our Technical Support
group at: http://www.zonelabs.com/support/

To report security issues with Zone Labs products contact:
security at zonelabs.com.  Note that any other matters sent to this
email address will not receive a response.

Disclaimer:
The information in the advisory is believed to be accurate at the
time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS
condition. There are no warranties with regard to this information.
Neither the author nor the publisher accepts any liability for any
direct, indirect, or consequential loss or damage arising from use
of, or reliance on, this information. Zone Labs and Zone Labs
products, are registered trademarks of Zone Labs LLC and/or
affiliated companies in the United States and other countries.
All other registered and unregistered trademarks represented in
this document are the sole property of their respective
companies/owners.

Copyright:
(c)2005 Zone Labs LLC All rights reserved. Zone Labs, TrueVector,
ZoneAlarm, and Cooperative Enforcement are registered trademarks
of Zone Labs LLC. The Zone Labs logo, Check Point Integrity and
IMsecure are trademarks of Zone Labs, Inc. Check Point Integrity
protected under U.S. Patent No. 5,987,611. Reg. U.S. Pat. & TM Off.
Cooperative Enforcement is a service mark of Zone Labs LLC All other
trademarks are the property of their respective owners.

Any reproduction of this alert other than as an unmodified copy of
this file requires authorization from Zone Labs. Permission to
electronically redistribute this alert in its unmodified form is
granted. All other rights, including the use of other media, are
reserved by Zone Labs LLC.

======================================================================

         =========================================================
         Les serveurs de référence du CERT-Renater
         http://www.urec.fr/securite
         http://www.cru.fr/securite
         http://www.renater.fr
         =========================================================
         + CERT-RENATER          | tel : 01-53-94-20-44          +
         + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
         + 75013 Paris           | email: certsvp@renater.fr     +
         =========================================================