COMMAND

    Virus Buster

SYSTEMS AFFECTED

    Virus Buster 2001 (ver8.02)

PROBLEM

    Ichinose Sayo found  following.  He  found a vulnerability  in the
    feature of  virus scan  for e-mail  in Virus  Buster 2001 (program
    version 8.02) from Trend Micro Inc.

    Virus Buster 2001 is a japanese software package that has  similar
    functions  of  PC-cillin  2000  such  as  eMail Virus Scanning and
    Browser Scanning(scanning web contents).

    The feature  of virus  scan for  e-mail in  this software,  called
    "eMail  Virus  Scanning"  on  PC-cillin,  is  used  not to receive
    e-mail  including  virus  by  scanning  every  e-mail whenever MUA
    (Mail User Agent) imports e-mail by using POP3 protocol.

    The  function  is  running  as  a  proxy between MUA and MRA (Mail
    Retrieval Agent)  as well.   The buffer  overflow occurs  when MUA
    received  email  with  the  header  defined  in  RFC 822 including
    unusually long strings.   As a result,  the user of  this software
    is not able to receive any e-mail(s) more.  An attacker could  use
    this vulnerability to  execute arbitrary commands.   A restart  of
    the computer is required in order to gain normal functionality.

    Example of Issue:

        From: aaaaaaaaaa(about 17,000 characters)aaaaaaaaa
        To: ichinose@lac.co.jp
        Date: Fri, 23 Mar 2001 16:07:23 +0900
        Subject: TEST
        I've seen at all.

    This has been tested on Virus Buster 2001 (Japanese) v8.02.

    The problem is almost the same as the vulnerability exists in  the
    program  version  8.00  except  the  place  which  buffer overflow
    occurs.  This vulnerability does not exist in the version 8.01 but
    it is strongly recommended to  upgrade to the version 8.03  if you
    use the version 8.02 or earlier because the version 8.01 has *yet*
    another  buffer  overflow  vulnerability  by  receiving  an e-mail
    message including unusually long MIME Boundary.

    Web site  that shows  reproducing this  vulnerability is available
    from:

        http://www.lac.co.jp/security/english/test/virusbuster_header.html

SOLUTION

    This problem does  not affect the  program version 8.03.   You can
    update  to  the  program  version  8.03  by  using  the feature of
    automatically updating software called intelligent update.

    Since there  was the  bug which  incorrect-detects a  virus in the
    version 8.03, SP4 was released to the following site:

        http://www.trendmicro.co.jp/homeuser/download/vb2001sp4.htm

    Japanese only; the program will be updated to the version 8.04.