BugTraq
Vulnerable 3rd-party DLLs used in TrendMicro's malware scanner HouseCall Sep 20 2010 07:45PM
Stefan Kanthak (stefan kanthak nexgo de)
Trend Micro <http://www.trendmicro.com/> / <http://www.antivirus.com/>
offer a free malware cleanup tool named "HouseCall 7.1" for Windows:
<http://housecall.trendmicro.com/>
<http://go.trendmicro.com/housecall7/HousecallLauncher.exe>
<http://go.trendmicro.com/housecall7/HousecallLauncher64.exe>

Versions of this "security" product before the current build 1078
from 2010-08-30, published 2010-09-06 (according to HTTP timestamp),
came with outdated and vulnerable OpenSource components:

1. libcurl.dll: version 7.19.0 from 2008-09-01

updated 10 times since, at least 3 times due to vulnerabilities;
see <http://curl.haxx.se/> and
<http://curl.haxx.se/docs/security.html>

2. ssleay32.dll and libeay32.dll: version 0.9.8i from 15.2008-09-15

updated 5 times since due to vulnerabilities; see
<http://openssl.org/news/> and
<http://openssl.org/news/vulnerabilities.html>

3. bzip2.exe: version 1.0.2

gets downloaded upon start, updated 3 times since then due to
vulnerabilities; see <http://www.bzip.org/downloads.html>

Users who downloaded this "security" product before 2010-09-07 should
get a new copy ASAP!

Stefan Kanthak

Timeline:

2010-07-08: informed vendor support

no reaction

2010-07-15: informed vendor sales department

2010-07-16: reply from vendor: will forward to product manager

2010-07-21: reply from vendor: service engineering team now in charge

2010-08-26: sent status request to vendor

2010-08-26: reply from vendor: will request status from product manager

no more reaction

2010-09-06: silently fixed

2010-09-16: report published

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus