Trend Micro Puzzled Over Security Threat Ratings

Tokyo-based Trend claims it issued a patch to customers on Nov. 22 that fixed five security vulnerabilities in OfficeScan, software that protects enterprises from viruses, spyware, worms and blended attacks. The flaws affect OfficeScan versions prior to and including 6.5 and 7.3.

Trend issued an alert to customers classifying the threat as "medium," or 2 on a 3 point scale, on the grounds that an attacker would have to have password authentication to an OfficeScan server, as well as the OfficeScan console, in order to exploit the vulnerabilities.

Sadik Al-Abdulla, security solutions specialist at Madison, Wis.-based Berbee Information Networks, now a division of CDW, says an attacker would have a difficult time taking advantage of the OfficeScan flaws. "The bottom line is that the vulnerability is only exploitable if someone is already authenticated to the server," he said.

However, in a Tuesday bulletin to subscribers of its Deepsight Threat Management service, Symantec pointed to a pair of buffer overflow vulnerabilities in the OfficeScan server's "Wizard.exe" and "CgiRemoteInstall.exe" components and said they could enable remote attackers to execute malicious code and potentially gain control over affected servers.

Symantec assigned the vulnerabilities an aggregate threat score of 9.4 on a 10 point scale, and the French Security Incident Response Team (FrSIRT) chimed in with it highest rating of critical, 4 on a 4 point scale.

The discrepancy once again highlights the issue of how the third party organizations that publish security threat ratings can often differ when it comes to interpreting the severity of threats.

One solution provider who requested anonymity said while the vulnerability is serious, the alerts from Symantec and FrSIRT inflated the threat's severity. "It's important to know when there are vulnerabilities, but in my opinion the volume [of alerts] is getting to be too large," the source said.

Jorg Schneider-Simon, Trend's global product marketing manager for enterprise endpoint security, questioned the timing of the bulletin. "It seems to me the announcement of this vulnerability [happened] a while after we published the patch. This is not really hot news," Schneider-Simon said. He declined further comment.

But Alfred Huger, senior director of engineering at Symantec Security Response, said Symantec wasn't able to issue a bulletin before today because Trend didn't make the information publicly available. "They may have notified customers, but the information didn't become public domain until today," Huger said.

Although the vulnerability information was only made available to Trend's subscribers, Symantec never contacted Trend to ask for detailed information on the actual threat level prior to publishing its Deepsight alert, according to a Trend spokesperson.

Huger doesn't believe there's necessarily any harm in not making vulnerability information public, but says it's important to realize that companies don't always apply patches as soon as they're released.

"There's usually a window of vulnerability. For large enterprises, whether the vulnerability is critical or not, you still have an intensive testing phase," Huger noted.