Security Watch

Keeping Track of patches and hacks in the IT security world.

Trend Micro: The Only Anti-virus (and Vulnerability-Stricken!) Biggie on MS' Certified for Vista List

Why is it the only one there? It sure isn't because of its track record of popping up in US-CERT for vulnerability warnings, at least as of today!

My former colleague and security blogger hero, Ryan Naraine, pointed out today that Microsoft's just-released list of Vista-compatible apps lacks the anti-virus heavyweights: CA, Symantec, eTrust, McAfee. The only recognizable AV name on the list is Trend Micro.

How ironic is this: four buffer overflow vulnerabilities listed on US-CERT's recent vulnerability notes list, all in Trend Micro's ServerProtect product? ServerProtect provides anti-virus scanning for servers, detecting and removing viruses from files and compressed files in real time.

The flaws are all stack-based buffer overflow vulnerabilities. Here are where they're located, how they're triggered, and where the advisories and patches are:

1. A flaw in the ENG_SetRealTimeScanConfigInfo()routine can allow an overflow if triggered by sending a specially crafted RPC packet to an affected ServerProtect installation. Here's the advisory. This could let in a remote, unauthenticated user, who could send out arbitrary commands. Trend Micro has a patch here. 2. The CMON_ActiveUpdate() and CMON_ActiveRollback() routines have flaws that can set off overflows if triggered by a specially crafted RPC packet sent to an affected installation. Here's the advisory. Here's the patch.

3. The CMON_NetTestConnection() routine has a flaw that can be used to set off an overflow if a specially crafted RPC packet is sent to an affected installation. The advisory is here, and here's the patch. 4. The ENG_SendEMail() routine has a flaw that can set off an overflow by if a specially crafted RPC packet is sent to an affected Trend Micro ServerProtect installation. The advisory is here, and the patch is here.

Of course, it's just a coincidence that Trend Micro's got four stack-based buffer overflows showing up on the same day it made the Vista-compatible list. As for the rest of the AV biggies, I only managed to get CA on the phone, since I was curious about it, and the company's explanation, at least, is perfectly reasonable.

Sam Curry, vice president of security management, pointed out that there are several degrees of certification from Microsoft. The first one is "Works with Windows Vista," which CA has. CA has it by virtue of being a strategic Microsoft partner and having participated in the Vista beta program.

The second level of certification is "Certified with Windows Vista." This one requires that all components be Microsoft components, or Vista-specific components. In CA's case, you use a third-party installation software to plug CA's applications in, which makes them ineligible for the "Certified With" label, but we can safely assume it doesn't mean "Won't work worth &^%$ with Vista."