[<prev] [next>] [day] [month] [year] [list]
Message-ID: <2B68DEC547C842BFA3D153C33F6667E0@localhost>
Date: Mon, 20 Sep 2010 21:45:29 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Vulnerable 3rd-party DLLs used in TrendMicro's
malware scanner HouseCall
Trend Micro <http://www.trendmicro.com/> / <http://www.antivirus.com/>
offer a free malware cleanup tool named "HouseCall 7.1" for Windows:
<http://housecall.trendmicro.com/>
<http://go.trendmicro.com/housecall7/HousecallLauncher.exe>
<http://go.trendmicro.com/housecall7/HousecallLauncher64.exe>
Versions of this "security" product before the current build 1078
from 2010-08-30, published 2010-09-06 (according to HTTP timestamp),
came with outdated and vulnerable OpenSource components:
1. libcurl.dll: version 7.19.0 from 2008-09-01
updated 10 times since, at least 3 times due to vulnerabilities;
see <http://curl.haxx.se/> and
<http://curl.haxx.se/docs/security.html>
2. ssleay32.dll and libeay32.dll: version 0.9.8i from 15.2008-09-15
updated 5 times since due to vulnerabilities; see
<http://openssl.org/news/> and
<http://openssl.org/news/vulnerabilities.html>
3. bzip2.exe: version 1.0.2
gets downloaded upon start, updated 3 times since then due to
vulnerabilities; see <http://www.bzip.org/downloads.html>
Users who downloaded this "security" product before 2010-09-07 should
get a new copy ASAP!
Stefan Kanthak
Timeline:
2010-07-08: informed vendor support
no reaction
2010-07-15: informed vendor sales department
2010-07-16: reply from vendor: will forward to product manager
2010-07-21: reply from vendor: service engineering team now in charge
2010-08-26: sent status request to vendor
2010-08-26: reply from vendor: will request status from product manager
no more reaction
2010-09-06: silently fixed
2010-09-16: report published
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists