<<<>>> Trend Micro, Inc. September 30, 2008 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Trend Micro(TM) OfficeScan(TM) 8.0 Service Pack 1 Patch 1 Critical Patch - Server Build 3087 and Client Build 1040 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ NOTICE: This critical patch was developed as a workaround or solution to a customer-reported problem. As such, this critical patch has received limited testing and has not been certified as an official product update. Consequently, THIS CRITICAL PATCH IS PROVIDED "AS IS". TREND MICRO MAKES NO WARRANTY OR PROMISE ABOUT THE OPERATION OR PERFORMANCE OF THIS CRITICAL PATCH NOR DOES IT WARRANT THAT THIS CRITICAL PATCH IS ERROR FREE. TO THE FULLEST EXTENT PERMITTED BY LAW, TREND MICRO DISCLAIMS ALL IMPLIED AND STATUTORY WARRANTIES, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, NONINFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE. Contents =================================================================== 1. Overview of This Critical Patch Release 1.1 Files Included in This Release 2. What's New 3. Documentation Set 4. System Requirements 5. Installation/Uninstallation 6. Post-Installation Configuration 7. Known Issues 8. Release History 9. Contact Information 10. About Trend Micro 11. License Agreement =================================================================== 1. Overview of This Critical Patch Release ======================================================================== There are two security issues included in this critical patch. a. This critical patch addresses the following potential security issues in the Trend Micro OfficeScan server CGI modules. - A vulnerability may allow attackers to trigger a buffer overflow and execute arbitrary code using Web user privileges. - A vulnerability may allow attackers to trigger a null pointer defect and cause the target child process to close. This can potentially cause denial of service conditions. b. This critical patch addresses a client directory traversal vulnerability in the OfficeScan Update Agent. The OfficeScan Update Agent client can receive requests from other clients. For update file distribution, the request format is "/activeupdate/". When the OfficeScan Update Agent client complies with this request, it can recognize and resolve the update file path but does not verify it. As a result, if an attacker changes the path to the directory traversal format, the following occur: - directory traversal, and - disclosure of file contents. 1.1 Files Included in This Release ====================================================================== Module File Name Build Number -------------------- ------------------ cgiABConsole.exe 8.0.3087 cgiABLogon.exe 8.0.3087 cgiCAV.exe 8.0.3087 cgiCheckIP.exe 8.0.3087 CGIOCommonN.dll 8.0.3087 cgiOnClientCfg.exe 8.0.3087 cgiOnClose.exe 8.0.3087 cgiOnInst.exe 8.0.3087 cgiOnMSCfg.exe 8.0.3087 cgiOnPSCfg.exe 8.0.3087 cgiOnRTCfg.exe 8.0.3087 cgiOnScan.exe 8.0.3087 cgiOnStart.exe 8.0.3087 cgiOnUnst.exe 8.0.3087 cgiOnUpdate.exe 8.0.3087 cgiRqAlertMsg.exe 8.0.3087 cgiRqINI.exe 8.0.3087 cgiRqOPP.exe 8.0.3087 cgiRqService.exe 8.0.1242 cgiRqUnInst.exe 8.0.3087 CGIShare.dll 8.0.3087 cgiShowSmb.exe 8.0.1242 PolicyServer.exe 8.0.3087 TimeString.dll 10.5.0.1040 Tmlisten.exe 10.5.0.1040 Tmlisten.exe(X64) 10.5.0.1040 2. What's New ======================================================================== Critical patch 3087 resolves the following issues: 1. A buffer overflow vulnerability may be exploited to execute arbitrary codes with Web user privileges. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Critical patch 3087 updates the CGI modules to resolve this issue. 2. By sending the crafted HTTP headers, the null pointer defect can cause the target child process to close and potentially cause denial of service conditions, if there is a series of inactive processes. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ After applying critical patch 3087, the new CGI modules enhance the error handling mechanism to address this issue. 3. A client directory traversal vulnerability in the OfficeScan Update Agent may be exploited to traverse other directories and view the contents of files. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Critical patch 3087 adds a security check feature to the OfficeScan client to avoid client directory traversal. After applying critical patch 3087, the OfficeScan client: - Checks the update file path before opening it. It will only allow access to files under the "activeupdate" folder. - Normalizes the update file path before working on any file. Normalizing the path converts any relative path characters to a correct and complete path. 3. Documentation Set ======================================================================== o Readme.txt -- basic installation, known issues, release history, and contact information Electronic versions of the printed manuals are available at: http://www.trendmicro.com/download 4. System Requirements ======================================================================== Install OfficeScan 8.0 Service Pack 1 Patch 1 before installing this critical patch. 5. Installation/Uninstallation ======================================================================== 5.1 Installation ===================================================================== To install this critical patch: 1. Copy the critical patch executable file to a temporary folder, for example, "C:\temp". 2. Double-click the file. All critical patch modules are automatically copied to the correct destination. This critical patch installation package automatically rolls back the OfficeScan server to its previous configuration if it encounters problems during installation. If you encounter problems after installation, do a manual rollback. 5.2 Manual Rollback Procedure ===================================================================== To manually roll back to the original configuration: 1. Stop the following services: * OfficeScan Master Service * Trend Micro Policy Server for Cisco(TM) NAC 2. Locate the backup folder that the critical patch package created in the "\Trend Micro\PCCSRV\Backup\criticalPatch_B3087" directory. 3. Copy the backup modules to the original folders. * Copy "PolicyServer\*.*" to: "\Trend Micro\PolicyServer" * Copy "PCCSRV\*.*" to: "\Trend Micro\PCCSRV\" * Copy "Tmlisten.exe" files from the backup location to the following folders: - PCCSRV\Pccnt\Common - PCCSRV\Pccnt\Win64\X64 4. Start the services you stopped in step 1. 6. Post-Installation Configuration ======================================================================== No post-installation steps are required. Note: Trend Micro recommends that you update your scan engine and virus pattern files immediately after installing this product. 7. Known Issues ======================================================================== There are no known issues for this critical patch release. 8. Release History ======================================================================== Visit the following Web site for more information about updates to this product: http://www.trendmicro.com/download 9. Contact Information ======================================================================== A license to the Trend Micro software usually includes the right to product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, Maintenance must be renewed on an annual basis at Trend Micro's then-current Maintenance fees. You can contact Trend Micro via fax, phone, and email, or visit us at: http://www.trendmicro.com Evaluation copies of Trend Micro products can be downloaded from our Web site. Global Mailing Address/Telephone numbers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ For global contact information in the Asia/Pacific region, Australia and New Zealand, Europe, Latin America, and Canada, refer to: http://www.trendmicro.com/en/about/overview.htm The Trend Micro "About Us" screen displays. Click the appropriate link in the "Contact Us" section of the screen. Note: This information is subject to change without notice. 10. About Trend Micro ======================================================================== Trend Micro, Inc. provides virus protection, anti-spam, and content-filtering security products and services. Trend Micro allows companies worldwide to stop viruses and other malicious code from a central point before they can reach the desktop. Copyright 2008, Trend Micro Incorporated. All rights reserved. Trend Micro, the t-ball logo, and OfficeScan are trademarks of Trend Micro Incorporated and are registered in some jurisdictions. All other marks are the trademarks or registered trademarks of their respective companies. 11. License Agreement ======================================================================== Information about your license agreement with Trend Micro can be viewed at: http://www.trendmicro.com/en/purchase/license/ Third-party licensing agreements can be viewed: - By selecting the "About" option in the application user interface - By referring to the "Legal" page of the Getting Started Guide or Administrator's Guide