Internet Security Systems - AlertCon(TM)

The Scoop on the X-Force TrendMicro Advisories

Posted by David Dewey on November 10, 2008 at 4:00 PM EST.

X-Force has just released four advisories covering a total of eight vulnerabilities discovered in Trend Micro ServerProtect.  Since the contents of the advisories are a little lacking given what you are used to seeing from X-Force, I feel like we owe you an explanation.

X-Force reported the first two of these vulnerabilities (Advisories 307 and 308) to Trend in late 2006.  Since then, X-Force has discovered and reported additional vulnerabilities, with the last being disclosed in January of 2008.  Each time Trend would assure us that fixes would be provided in the next scheduled patch.  We have worked with them through four security patches, and in all cases, the reported vulnerabilities were ignored or the solution they implemented was inadequate.  In one case, their solution was as poorly architected as the issue they were trying to resolve and was easily evaded in a matter of minutes after installation of the “patch”.  In each case, we sent them documentation on the issue, links to MSDN articles to assist with correcting the coding errors, and in one case even a video documenting / demonstrating how the exploitation takes place.  Additionally, when direct coordination proved a dead-end, we coordinated to Trend through CERT/CC and JP-CERT in an effort to coordinate with them more effectively.  They responded to each of those organizations the same way they did to us, which was to dismiss true problem resolution and try to indicate their workarounds were sufficient to consider the issues addressed.

It is apparent that we have reached a crossroads with Trend -- where they are unable or unwilling to sufficiently patch these eight critical vulnerabilities reported by X-Force.  At this point, I feel it is important to let our customers know about the inherent and abundant security risks of running TrendMicro ServerProtect.  With that, X-Force has published advisories with the technical details redacted that allow our customers to understand that the vulnerabilities are present, what protection mechanisms customers have at their disposal, but not providing any details that could give an attacker an advantage in finding or exploiting these vulnerabilities.

***NOTE:  The postings on this site are my own and don’t necessarily represent IBM’s positions, strategies or opinions.

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.