Trend Engine Update

On February 26, 2005, in Security, by

 To manually update TREND:

Otherwise on March 3rd it will get the necessary update.  [me I’m waiting]

Follow these steps to manually update your ScanMail scan engine:

1. Open your Web browser and type the following URL address:

2. Download the scan engine for your program version of ScanMail.

3. Stop the ScanMail Real-time Scanning services (Select Start >

Programs > Administrative Tools > Services > ScanMail_RealTimeScan >

Stop) and make sure that no scheduled scans are running.

4. Double-click the downloaded file and unzip it.

5. Copy all files to the …\Trend\Smex directory, which overwrites

the existing files.

6. Restart the ScanMail Real-time Scanning services (follow the

steps in number 3 above, but substitute Start for Stop).

Excerpted from ScanMail for Exchange on-line help.

Trend Vulnerability

This vulnerability exists in the ARJ archive file format parser.

The ARJ archive file format is too flexible especially in the file name
field in the local header. This file name is stored as a null-terminated
string and limited only by the overall size of the local header (local
header size is stored as a 16-bit value and is limited to 2,600 bytes only).

If the file name exceeds the maximum allocated size, the VSAPI scan engine
still copies this file name into a 512-byte buffer, overwriting the
succeeding data structure. One of the fields in the said data structure is a
pointer to another data stucture. The next instruction after the copying of
the file name is an assignment instruction to a member of the structure that
is referred to by the overwritten pointer. The said routine causes an
illegal memory access.

Thus, it is possible to create a specially-crafted ARJ archive file that
overwrites data after the allocated 512-byte buffer. This specially-crafted
file could possibly execute an arbitrary code.

The ISS advisory can be seen here:


Comments are closed.