Antivirus admin tools open to abuse

Management tools used to streamline antivirus software updates can pose a security risk, a security testing company has warned.

NTA Monitor's warning came after Trend Micro instructed users to update from version 3.5.0 to 3.5.1 of its OfficeScan suite because of major security issues with its server-based management system.

Roy Hills, NTA Monitor's testing development director, said security issues involving the management functions of corporate virus checkers have become "a real threat".

Users reported two flaws in OfficeScan 3.5.0. The first was that system administration tasks were not protected by log-in mechanisms and could be performed by anyone who knew the URL of the admin web pages. The second leaves desktop PCs running OfficeScan vulnerable to denial of service attacks.

Dale de Kok, a member of Trend Micro's technical support team, admitted that there is a problem with web-based installations of OfficeScan on Windows NT servers, which has been fixed in version 3.5.1.

"Previous versions of OfficeScan would allow intruders within a firewall to initiate a denial of service attack on the OfficeScan client, as well as to capture OfficeScan commands," he said. "These commands could be replayed and used to change other OfficeScan client configurations."

The vulnerability has been fixed by encrypting server to client commands using MD-5 Message-Digest Algorithm, added de Kok.

"Problems with the management utilities of antivirus software suites are not a new risk, but they have suddenly become a real threat," said Roy Hills, adding that businesses need to review how they configure antivirus software suites.

He said it is common practice to implement software upgrades by mailing someone a .reg file, which is merged into users' registries. This could be an avenue for infection, he said, advising administrators to configure their antivirus or content checking software to block particular download types.