Web attacks: Cure worse than disease?

The difference between checking for security holes and exploiting them is purely one of intent, as anti-virus maker Trend Micro Inc. has discovered.
Written by Steven J.Vaughan Nichols, Contributor

Trend Micro's enterprise anti-viral program OfficeScan -- which also scans for denial-of-service (DoS) vulnerabilities -- also is a prime vehicle for foul play. According to Bugtraq reports and Trend Micro itself, OfficeScan also opens the door for internal attacks.

OfficeScan, it turns out, suffers from several problems. If the product is set to be administered from a server, as commonly done, an attacker can impersonate the server and crash clients. Indeed, all it takes to lock up a client system is opening up more than five simultaneous connections and then flooding them with random data.

Sysadmins can seal this hole by upgrading to version 3.5 of OfficeScan, which allows users to set the update features to other ports, and installing the updated dynamic link library, 3508tmsock.dll. For registered OfficeScan 3.1x's users, that is a free upgrade.

There's more trouble lurking in OfficeScan. Unlike all other Trend Micro products, OfficeScan doesn't have an authentication/crypto-protected protocol between clients and the program manager. That means within a network on the same subnet, there are numerous ways to use OfficeScan to do everything from cause a LAN-wide DoS attack, to rewrite entire hard drives, to subtlety place invisible Trojan programs on computers.

For the short-term, the only solution is to disable the NTlisten.exe service on systems. By the end of the week, Trend Micro claims it will have a better answer. Dan Schrader, VP of new technology at Trend Micro, acknowledges these problems are "very significant and we're taking it seriously."

Specifically, by this weekend, Trend Micro will be releasing a patch that will automatically update OfficeScan programs to include authentication and encryption of commands and data flying between server and clients. Those, and other improvements, should seal this hole, he says.

Why are the fixes taking a week? According to Schrader, because OfficeScan works on heterogeneous networks, Trend Micro is "making sure it's bulletproof before we release it." Ironically, the news of the OfficeScan vulnerability follows on the heels of Microsoft's offer of a free copy of OfficeScan for Microsoft Small Business Server 4.5 with every copy of SBS 4.5 purchased between March 1 and June 30.

Editorial standards