Vulnerability in multiple antivirus products, Eset included

Just a FYI for any NOD32 users of a new vulnerablity:

Vulnerability in multiple antivirus products

By Bill Brenner, News Writer
18 Oct 2004 | SearchSecurity.com

Attackers could use a .zip file vulnerability in multiple antivirus software products to escape detection, Reston, Va.-based security firm iDefense Inc. warned Monday.

"This vulnerability affects multiple antivirus vendors including McAfee, Computer Associates, Kaspersky, Sophos, Eset and RAV," the company said in an advisory. "Remote exploitation of an exceptional condition error in multiple vendors' antivirus software allows attackers to bypass security protections by evading virus detection."

The problem is in the parsing of .zip archive headers. According to iDefense: "The .zip file format stores information about compressed files in two locations -- a local header and a global header. The local header exists just before the compressed data of each file, and the global header exists at the end of the .zip archive. It is possible to modify the uncompressed size of archived files in both the local and global header without affecting functionality."

This vulnerability has been confirmed with both WinZip and Microsoft compressed folders, the company added. An attacker can compress a malicious payload and evade detection by some antivirus software by modifying the uncompressed size within the local and global headers to zero.

"Successful exploitation allows remote attackers to pass malicious payloads within a compressed archive to a target without being detected," iDefense said in the advisory. "Most antivirus engines have the ability to scan content packaged with compressed archives. As such, users with up-to-date anti-virus software are more likely to open attachments and files if they are under the false impression that the archive was already scanned and found to not contain a virus."

The company said it has confirmed the flaw in the latest versions of engines provided by McAfee, Computer Associates, Kaspersky Labs, Sophos, Eset and RAV. The latest versions of engines provided by Symantec, Bitdefender, Trend Micro and Panda Software are not vulnerable.

As a workaround, iDefense recommends users filter all compressed file archives at border gateways, regardless of content.

The company said it has received responses from several of the vulnerable vendors. Among them:

Santa Clara, Calif.-based McAfee Inc. told iDefense: "McAfee is aware of a proof-of-concept exploitation in .zip archive payloads where information in the local header part of the archive is modified. The techniques used by McAfee to analyze .zip archives have allowed a comprehensive solution… The latest update for the current 4320 McAfee Antivirus Engine DATS drivers (Version 4398 released on Oct 13, 2004) further enhances the protection afforded to McAfee customers against such potential exploits. It should be noted that whilst McAfee takes the potential for this exploit to be used maliciously seriously, to date no evidence of such an exploit has been discovered."

Islandia, N.Y.-based Computer Associates International Inc. said in a statement, "With the assistance of iDefense, Computer Associates has identified a medium-risk vulnerability in a shared component of eTrust Antivirus which may allow a specially crafted .zip file to bypass virus detection. Customers are encouraged to visit the CA support site for more information about this vulnerability, a list of products and platforms that are effected, and remediation procedures."

 

But how about when the infected file is unzipped/extracted from the zip file? Shouldnt it then be detected?

 

This has been fixed for NOD32:

Eset
"The vulnerability was caused by the fact that some archive
compression/decompression software (including Winzip) incorrectly
handles compressed files with deliberately damaged header fields, thus,
in-fact, allowing creation of the damaged archive files, that could be
automatically repaired on the victims computer without notifying the
user.

Eset has made appropriate modifications to archive-scanning code to
handle such kind of archives immediately after receiving notification
from iDEFENSE. These changes are contained in archive-support module
version 1.020, released on 16th September 2004 at 21:00 CET. The update
was available for all clients with Automatic Virus-Signatures Update
set."

http://www.idefense.com/application/poi/display?id=153&type=vulnerabilities&flashstatus=false

 

Where does KAV stand on this issue?

 

I would say all this means is if it scans the archives
it won't detect it,if you open it,the virus is detected..
This sound right.

 

Kaspersky
(09/24/2004)
"...this bug for scanners based on 3.x-4.x engines will be fixed in next
(not current) cumulative update.

For scanners based on new 5.0 engine we recommend you waiting for the
release of our next maintenance pack. We are going to release it in
October