SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   Trend Micro OfficeScan Vendors:   Trend Micro
TrendMicro OfficeScan Default Permissions Let Local Users Modify the Configuration
SecurityTracker Alert ID:  1010093
SecurityTracker URL:  http://securitytracker.com/id/1010093
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 7 2004
Impact:   Denial of service via local system, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): prior to 6.5
Description:   A configuration vulnerability was reported in Trend Micro's OfficeScan. A local user can modify or disable the anti-virus service.

Matt reported that the default installation of OfficeScan assigns 'Everyone:Full Control' privileges to the installation directory (e.g., c:\officescan) and the 'HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp' registry entry. As a result, a local user can delete files or modify registry keys to change the anti-virus service configuration or cause the service to fail.

The vendor was reportedly notified on October 12, 2003.

Impact:   A local user can modify the configuration settings or product files.
Solution:   According to the report, the vendor has developed a patch to provide access controls for the registry keys, available from the vendor and from resellers:

"OSCE_Hotfix_RegistryTool.zip"

This patch reportedly restricts certain client functions, such as the ability to run a manual scan.

According to the report, there is no fix available for the installation directory permission flaw.

Vendor URL:  www.trendmicro.com/ (Links to External Site)
Cause:   Access control error, Configuration error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Security issue with Trend OfficeScan Corporate Edition


Product:              Trend OfficeScan
Product Description:  Trend OfficeScan is a Corporate Antivirus product from
Trend Microsystems
Vendor URL:           http://www.antivirus.com
Versions affected:    3.0 - 6.0 (5.58 is latest version, not fixed until
version 6.5)
Vendor notified:      12th October 2003
Vendor response:      Patch supplied - see details

Details:

The default installation of Trend OfficeScan allows a non admin user to
disable the service, stopping the Antivirus software from working due to
weak permissions. The default permissions on a Trend OfficeScan installation
are:

OfficeScan installation directory (c:\officescan client): "Everyone:Full
Control"
OfficeScan registry data
(HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp) "Everyone:Full
Control".

A user (or virus) simply needs to remove files or modify registry keys in
the locations above to cause the antivirus software to stop working.
Additionally, all OfficeScan options are configurable via the registry, e.g.
scan exclusion directories and file extensions to scan (or not scan) can be
configured. It is ironic that a product designed to increase the security of
corporate desktop computers has such weak security itself.

A patch has been developed which tightens security on the registry keys,
however stops certain client functions working (e.g. removes the ability for
the user to see which pattern file is installed, removes the ability to run
a manual scan on the PC). No patch has been supplied to tighten security on
the Trend installation directory. The registry patch is called
"OSCE_Hotfix_RegistryTool.zip" and is available by contacting your Trend
reseller.

Beinning with Trend OfficeScan 6.5 there will be an option to tighten
security, however the default configuration will be to give Everyone:Full
Control on file system and registry keys.

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC