[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Vulnerable 3rd-party DLLs used in TrendMicro's malware scanner HouseCall

Trend Micro <http://www.trendmicro.com/> / <http://www.antivirus.com/>
offer a free malware cleanup tool named "HouseCall 7.1" for Windows:

Versions of this "security" product before the current build 1078
from 2010-08-30, published 2010-09-06 (according to HTTP timestamp),
came with outdated and vulnerable OpenSource components:

1. libcurl.dll: version 7.19.0 from 2008-09-01

   updated 10 times since, at least 3 times due to vulnerabilities;
   see <http://curl.haxx.se/> and

2. ssleay32.dll and libeay32.dll: version 0.9.8i from 15.2008-09-15

   updated 5 times since due to vulnerabilities; see
   <http://openssl.org/news/> and

3. bzip2.exe: version 1.0.2

   gets downloaded upon start, updated 3 times since then due to
   vulnerabilities; see <http://www.bzip.org/downloads.html>

Users who downloaded this "security" product before 2010-09-07 should
get a new copy ASAP!

Stefan Kanthak


2010-07-08: informed vendor support

            no reaction

2010-07-15: informed vendor sales department

2010-07-16: reply from vendor: will forward to product manager

2010-07-21: reply from vendor: service engineering team now in charge

2010-08-26: sent status request to vendor

2010-08-26: reply from vendor: will request status from product manager

            no more reaction

2010-09-06: silently fixed

2010-09-16: report published