Zone Labs ZoneAlarm Vet anti-virus engine OLE processing vulnerability

To: <bugtraq@xxxxxxxxxxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: Zone Labs ZoneAlarm Vet anti-virus engine OLE processing vulnerability
From: "Zone Labs Product Security" <Product-Security@xxxxxxxxxxxx>
Date: Wed, 25 May 2005 08:43:52 -0700
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Reply-to: "Zone Labs Security Team" <security@xxxxxxxxxxxx>
Thread-index: AcVhQN0cKeLgdIrhT4K8lAPg73BIOg==
Thread-topic: Zone Labs ZoneAlarm Vet anti-virus engine OLE processing vulnerability

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Zone Labs Security Alert
Zone Labs Anti-virus Engine OLE Processing Issue

Date Published          May 24, 2005
Date Last Revised       May 24, 2005

Severity                High


Overview
========

A security vulnerability existed in the anti-virus engine of specific
versions of ZoneAlarm Anti-Virus and ZoneAlarm Security Suite 
(ZoneAlarm and ZoneAlarm Pro are not affected.)

The vulnerability was caused due to an integer overflow in the Vet 
anti-virus engine (VetE.dll) when analyzing OLE streams. This can be 
exploited to cause a heap-based buffer overflow via a specially 
crafted Microsoft Office document.

Zone Labs has released an updated anti-virus engine for affected 
products which is automatically applied during the next anti-virus 
update, which typically occurs daily.  Customers may also manually 
update their anti-virus service for immediate protection.

Zone Labs remains committed to providing our customers with advanced 
Internet security technologies for PC protection.


Impact
======

If successfully exploited, a skilled attacker could cause the 
firewall to stop processing traffic, execute arbitrary code, or 
elevate malicious code's privileges.

Zone Labs recommends affected users update their anti-virus engine 
and definitions to the current versions which address the issue.
 
Affected Products
    * ZoneAlarm Anti-virus and ZoneAlarm Security Suite

Unaffected Products
    * ZoneAlarm and ZoneAlarm Pro
    * Check Point Integrity clients and Integrity Server 
    * Integrity Clientless Security products


Description
===========

ZoneAlarm Anti-Virus and ZoneAlarm Security Suite use the Vet engine 
from Computer Associates for anti-virus detection.  Due to an 
integer wrap issue in the code associated with OLE processing, a 
heap overflow may occur which could potentially allow a skilled
attacker 
to cause the firewall to stop processing traffic or execute arbitrary
code. 


Recommended Actions
===================

ZoneAlarm Anti-virus and ZoneAlarm Security Suite users should 
upgrade the anti-virus engine to version 11.9.1 or later.

To update your ZoneAlarm Anti-virus or Security Suite product:

    1. Select Antivirus

    2. In the Status area, choose the Update Now option

    3. Select Overview | Product Info and verify that the Antivirus
       Vet engine version is 11.9.1 or higher


Related Resources
=================

Zone Labs Security Services: http://www.zonelabs.com/security


Acknowledgments
===============

Zone Labs would like to thank Alex Wheeler for reporting this issue 
to Zone Labs.


Contact
=======

Zone Labs customers who are concerned about this vulnerabilities or
have additional technical questions may reach our Technical Support
group at: http://www.zonelabs.com/support/  

To report security issues with Zone Labs products contact:
security@xxxxxxxxxxxxx  Note that any other matters sent to this 
email address will not receive a response.

Disclaimer: 
The information in the advisory is believed to be accurate at the 
time of publishing based on currently available information. Use 
of the information constitutes acceptance for use in an AS IS 
condition. There are no warranties with regard to this information. 
Neither the author nor the publisher accepts any liability for any 
direct, indirect, or consequential loss or damage arising from use 
of, or reliance on, this information. Zone Labs and Zone Labs 
products, are registered trademarks of Zone Labs LLC and/or 
affiliated companies in the United States and other countries. 
All other registered and unregistered trademarks represented in 
this document are the sole property of their respective
companies/owners.

Copyright: 
(c)2005 Zone Labs LLC All rights reserved. Zone Labs, TrueVector, 
ZoneAlarm, and Cooperative Enforcement are registered trademarks 
of Zone Labs LLC. The Zone Labs logo, Check Point Integrity and 
IMsecure are trademarks of Zone Labs, Inc. Check Point Integrity 
protected under U.S. Patent No. 5,987,611. Reg. U.S. Pat. & TM Off. 
Cooperative Enforcement is a service mark of Zone Labs LLC All other 
trademarks are the property of their respective owners.

Any reproduction of this alert other than as an unmodified copy of 
this file requires authorization from Zone Labs. Permission to 
electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other media, are 
reserved by Zone Labs LLC.

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBQpSdxVDxXw2Is3mLEQIvJwCcC5EsnbBQ+QWVaUZBdXh0o1zBMkkAoIxg
2nXt1uCFFTGXjZlahfemO6PI
=0Ubb
-----END PGP SIGNATURE-----

Prev by Date: OpenServer 5.0.6 OpenServer 5.0.7 : nwprint privilege escalation
Next by Date: davfs2 does not honour Unix permissions
Previous by thread: OpenServer 5.0.6 OpenServer 5.0.7 : nwprint privilege escalation
Next by thread: davfs2 does not honour Unix permissions
Index(es):
- Date
- Thread