Fighting malware and spam

Vulnerabilities galore

May was a month of flaw revelations, with vulnerabilities being disclosed in the products of no fewer than nine security vendors.

May was a month of flaw revelations, with vulnerabilities being disclosed in the products of no fewer than nine security vendors.

At the start of the month details were revealed of a vulnerability affecting Alwil, Avira and Panda products. The flaw involved an error in the handling of the .zoo archive format, and could have been exploited to cause an infinite loop, resulting in extreme CPU utilization or even denial of service. Avira's Antivir product also suffered three further potentially exploitable vulnerabilities. These involved errors when processing LZH files, TAR files and UPX-compressed files.

Also in early May, Trend Micro released details of two buffer-overflow issues, which were thought to be exploitable only from the local system. More buffer overflows were reported in McAfee and CA products. In a wide range of McAfee products, a buffer overflow error in the Subscription Manager ActiveX control meant that it was possible for code to be executed from malicious websites, resulting in system compromise and remote access. A number of CA's anti-virus and anti-spyware products were affected by two buffer overflows. The vulnerabilities, which could only have been exploited from the local system, could have allowed escalated privileges.

A flaw revealed in the ActiveX control of some of Symantec's Norton products could also have been exploited by malicious websites to bypass security measures and allow remote access. It proved to be a tricky month all round for Symantec, with a false positive in its Norton Anti-virus product range rendering thousands of Chinese computers unusable after it flagged both netapi32.dll and lsasrv.dll as the Haxdoor backdoor trojan on certain Simplified Chinese language versions of Windows XP SP2. A number of enterprise customers are seeking compensation for losses incurred as a result of the disruption.

Back to the month's vulnerabilities: a flaw was revealed by FrSIRT in open source security software ClamAV. The flaw, which resides in the OLE2 parser, is potentially exploitable to cause denial of service. At the time of writing no official patch is available.

Finally, the end of the month saw news of vulnerabilities in Eset and F-Secure products. Two stack-overflow vulnerabilities were disclosed in Eset's NOD32 AntiVirus product, while F-Secure revealed a buffer overflow relating to LHA archive handling in a number of its products.

With the exception of the ClamAV flaw, patches for all vulnerabilities were available prior to the announcements being made. As always, VB urges users to ensure they are running the latest versions.

01 June 2007

Tags: