===================================================================== CERT-Renater Note d'Information No. 2008/VULN298 _____________________________________________________________________ DATE : 12/08/2008 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running Trend Micro OfficeScan, Trend Micro Worry-Free Business Security, Trend Micro Client Server Messaging Security for SMB. ====================================================================== http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1037899&id=EN-1037899 ______________________________________________________________________ Trend Micro OfficeScan ActiveX Buffer Overflow Issue Solution ID: 1037899 Product: OfficeScan - 7.0, OfficeScan - 7.3, OfficeScan - 8.0, Worry-Free Business Security - 5.0, Client Server Messaging Security for SMB - 3.5, Client Server Messaging Security for SMB - 3.6 Operating System: Windows 2000 Advanced Server - SP4, Windows 2000 Server - SP4, Windows NT 4.0, SP 6a, Windows Server 2003 Standard Edition - SP1, Windows Vista, Windows XP Published: 7/31/08 5:55 PM Problem: Trend Micro OSCE Vulnerability Disclosure Solution: I. Description: Trend Micro has become aware of an issue that affects some versions of Trend Micro OfficeScan (OSCE) whereby a remote user could cause a buffer overflow and execute arbitrary code in the context of the currently logged-in user. II. Products Affected: This issue affects the following Trend Micro products and versions: • Trend Micro OfficeScan (OSCE) versions 7.0, 7.3, and 8.0 • Trend Micro Worry-Free Business Security (WFBS) version 5.0 • Trend Micro Client Server Messaging Security (CSM) versions 3.5 and 3.6 III. Background: The OfficeScan Web Console utilizes several ActiveX controls when deploying the product through its Web interface. One of these controls, objRemoveCtrl, has been found to be vulnerable to a stack-based buffer overflow when embedded in a webpage. An attacker could exploit these issues by enticing a victim into viewing a malicious web page. A successful exploit would allow attacker-supplied code to run in the context of the currently logged-in user. IV. Impact: A potential attacker could exploit this issue and execute arbitrary code with the user’s privileges or entice them to visit a malicious webpage. Please note that only clients that were installed via the Web console would be vulnerable due to the downloaded ActiveX control. Clients installed via other methods would not be affected. V. Workaround: A temporary workaround has been identified for this issue. Administrators may set the kill bit to prevent the objRemoveCtrl from running in Internet Explorer. For more information, please read the following information from Microsoft: How to stop an ActiveX control from running in Internet Explorer VI. Permanent Solution: To address this issue, Trend Micro has tentatively scheduled the release of security patches to address this issue for the affected products and versions as listed below: • OfficeScan 7.0, 7.3, and 8.0: August 8, 2008 • Worry-Free Business Security 5.0: August 8, 2008 • Client Server Messaging Security 3.5 and 3.6: August 15, 2008: An announcement will be made if the security patches become available before the scheduled dates. If you are still having error messages after this latest update, please contact your local Trend Micro support contact for additional assistance. ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================