| Subcribe via RSS

Trend Micro: Rollback of VSAPI Version 9.000 from ActiveUpdate

November 24th, 2009 | No Comments | Posted in Security, Software, Trend Micro

Some of might have noticed this, but I’m writing a post about it any way.

Trend Micro is now rolling back the VSAPI 9.000 from ActiveUpdate. Reason: “There have been reports of issues on the following products scanning certain malformed PDF files”.

The version available through ActiveUpdate is now 9.100.1001, this is essentially version 8.952.

The products affected are:
OfficeScan
ServerProtect
Worry-Free Business Security (WFBS)

Earlier, they sent out an advisory about VSAPI 9.000 and problems with Windows NT (think it was OfficeScan 7.3 and ServerProtect). The problems resulted in the Scan Engine being unable to load the pattern files.

Read the entire Customer Notification here:

CUSTOMER NOTIFICATION Rollback of VSAPI Version 9.000 from ActiveUpdate

Tags: , , , , , , , ,

Finjan how-to: Install Vital Security 9.2 on NG Appliance

November 24th, 2009 | No Comments | Posted in Finjan, Security

You might haveĀ  read the release notes for Finjan Vital Security 9.2, and found that the instructions doesn’t make much sense. E.g.:

– The files are not available

– The notes are referring to files not available on the Finjan web site

– The instructions are incomplete, and doesn’t work.

(http://www.finjan.com/objects/NGupdates/OSupdates/vs_ng_os_update_9.2_release_notes.htm)

Here are working instructions on how to install Vital Security v. 9.2 on a NG-appliance.

More »

Tags: , , , ,

0-day SMB remote exploit in Windows 7 and Windows Server 2008 R2

November 13th, 2009 | No Comments | Posted in Security, Windows

There is a new 0-day remote exploit available for Windows 7 and Windows Server 2008 R2.
This only works on R2 of Windows Server, but it work even with all the latest patches applied.

Exploitation of the exploit crashes the system. This is done by sending a NetBios header that specifies that the SMB-packet is 1, 2 or 4 bytes larger or smaller than what it actually is.

When the system crashes, there is no BSOD, the system simply freezes. And there is no traces in the event logs (after reboot).

When the system receives the packet, it goes into an infinite loop.

The crash itself happens in KeAccumulateTicks() due to NT_ASSERT()/DbgRaiseAssertionFailure() (which is caused by an infinite loop).

The vulnerability could possibly be exploited through IE.

And the proof of concept works by:

1. Running the python code on a *nix box, and ensuring port 445 is open.
2. Connecting through SMB to the *nix box.

Read more:
http://isc.sans.org/diary.html?storyid=7573
http://blog.trendmicro.com/new-smb-zero-day-exploit/
http://praetorianprefect.com/archives/2009/11/how-to-crash-windows-7-and-server-2008/
http://g-laurent.blogspot.com/2009/11/windows-7-server-2008r2-remote-kernel.html

Tags: , , , , ,

Trend Micro VSAPI 9.000 soon available through ActiveUpdate

November 9th, 2009 | No Comments | Posted in Security, Software

If you didn’t get the latest Technical Advisory from Trend Micro
Here is a brief summary.

On November 16, 2009, Trend Micro will make the VSAPI 9.000 available through ActiveUpdate (AU).

It will be released for the following products:
– OfficeScan
– Client Server Messaging Suite / Client Server Suite
– Worry Free Business Security
– ServerProtect for NT
– Trend Micro Control Manager

And it will include the following new features:
– Support for the detection of files that contain known PDF exploits
– Support for shellcode detection
– Recognition of the following additional file types:
– Flash Video (FLV)
– Microsoft Document Imaging (MDI)
– Moving Picture Experts Group (MPEG)
– QuickTime (MOV)
– RIFF
– SITX
– ZIP64
– Support for the detection of exploits to Microsoft Office vulnerabilities

Edit: The entire Advisory has been posted on the TCSE community – from ACAPacific blog.

Tags: , , , , , , ,
technoblog@trap.threatobs.com