HOTFIX: PC-Cillin Internet Security 2007 and Trend Micro Anti-Spyware for Consumer 3.5
Affected operating systems:
Windows 2000 Professional Edition - SP4, Windows XP - SP1, Windows XP - SP2, Windows Vista
Affected Trend Micro products:
Trend Micro PC-cillin Internet Security 2007 15.0 - SSAPI version 22.214.171.1246
Trend Micro PC-cillin Internet Security 2007 15.2 – SSAPI v126.96.36.1994
Trend Micro PC-cillin Internet Security 2007 15.3 – SSAPI v188.8.131.524
Trend Micro PC-cillin Internet Security 2007 15.2 Patch – SSAPI v184.108.40.2062
Trend Micro AntiSpyware 3.5 - SSAPI v220.127.116.116
At the moment there is only a hotfix; the official patches will not be made available via ActiveUpdate until September 10. If you are running the affected software you may want to consider installing the patch - after all, it seems there may be bad guys out there trying to exploit the ServerProtect vulnerability - there is no reason why they wouldn't try to exploit this as well. This exploit could theoretically cause a denial-of-service condition or execute arbitrary code on an affected system.
When the Venus Spy Trap (VST) function of SSAPI is enabled, the new file whose path name length exceeds the max_path character limit is created. As a result, the SSAPI module in affected Trend Micro products installed with Windows XP (SP2 or later) crashes. The shell code execution for those installed with Windows 2000 will cause the SSAPI module to experience the buffer overflow.
Further information here: