Alarm Raise Over Vulnerability in Trend Micro’s Anti-Virus Tool
Security notification company Secunia has detected a potentially severe security flaw in Trend Micro Inc.'s HouseCall, a free online service for virus scanning. The company's researchers said that hackers could use the bug to hack Windows computers running Internet Explorer.
The security company disclosed that if an attacker gets success in exploiting HouseCall's vulnerability existing in customary ActiveX control that Trend Micro allocates to people who use its non-chargeable HouseCall service, he could trick those users into visiting a maliciously infected web page. The security researchers also said that the free scanning software HouseCall checks the computer for any infection from spyware, viruses or any other malware.
Furthermore, the researchers have rated the flaw as "highly critical". The flaw is positioned second in Secunia's five stage scoring system.
Secunia in its security advisory clearly defines that the bug is a result of a fault in the HouseCall ActiveX control named Housacall_ActiveX.dll. This could be exploited to defer formerly freed memory through a user, who is tricked into viewing a web page having a crafty 'notifyOnLoadNative ()' callback function.
Meanwhile, the researchers confirmed that the bug affects HouseCall ActiveX Control versions 188.8.131.528 and 184.108.40.2068, whereas spares other versions of the tool.
According to Trend Micro, it has plugged the hole in the ActiveX control as well as patched the HouseCall servers meant for public use. However, the company said that no extensive tests have been conducted on the fix and Trend Micro essentially wouldn't be liable for the fix's insufficiency, if at all.
Besides, according to the advisory from Trend Micro, the fix was created as a way to solve a client reported problem. But as the fix is not yet tested, Trend Micro makes no promise of the fix's performance nor warrants that it is free from error.
However, to remain safe, researchers recommend that people using IE remove the Housecall_ActiveX.dll and use Version 220.127.116.115 of the HouseCall service instead of its previous services.
Trend Micro advised organizations running HouseCall Server in-house to summon the "HouseCall 6.6 Hot Fix Build 1285" update via their usual support channels.
Related article: Alarming Rise In ID Theft Threats During Jan-Feb ‘07
» SPAMfighter News - 30-12-2008