Vulnerability in multiple antivirus products, Eset included

Discussion in 'other anti-virus software' started by Red Dawn, Oct 18, 2004.

Thread Status:
Not open for further replies.
  1. Red Dawn

    Red Dawn Registered Member

    Jun 28, 2004
    Just a FYI for any NOD32 users of a new vulnerablity:

    Vulnerability in multiple antivirus products

    By Bill Brenner, News Writer
    18 Oct 2004 |

    Attackers could use a .zip file vulnerability in multiple antivirus software products to escape detection, Reston, Va.-based security firm iDefense Inc. warned Monday.

    "This vulnerability affects multiple antivirus vendors including McAfee, Computer Associates, Kaspersky, Sophos, Eset and RAV," the company said in an advisory. "Remote exploitation of an exceptional condition error in multiple vendors' antivirus software allows attackers to bypass security protections by evading virus detection."

    The problem is in the parsing of .zip archive headers. According to iDefense: "The .zip file format stores information about compressed files in two locations -- a local header and a global header. The local header exists just before the compressed data of each file, and the global header exists at the end of the .zip archive. It is possible to modify the uncompressed size of archived files in both the local and global header without affecting functionality."

    This vulnerability has been confirmed with both WinZip and Microsoft compressed folders, the company added. An attacker can compress a malicious payload and evade detection by some antivirus software by modifying the uncompressed size within the local and global headers to zero.

    "Successful exploitation allows remote attackers to pass malicious payloads within a compressed archive to a target without being detected," iDefense said in the advisory. "Most antivirus engines have the ability to scan content packaged with compressed archives. As such, users with up-to-date anti-virus software are more likely to open attachments and files if they are under the false impression that the archive was already scanned and found to not contain a virus."

    The company said it has confirmed the flaw in the latest versions of engines provided by McAfee, Computer Associates, Kaspersky Labs, Sophos, Eset and RAV. The latest versions of engines provided by Symantec, Bitdefender, Trend Micro and Panda Software are not vulnerable.

    As a workaround, iDefense recommends users filter all compressed file archives at border gateways, regardless of content.

    The company said it has received responses from several of the vulnerable vendors. Among them:

    Santa Clara, Calif.-based McAfee Inc. told iDefense: "McAfee is aware of a proof-of-concept exploitation in .zip archive payloads where information in the local header part of the archive is modified. The techniques used by McAfee to analyze .zip archives have allowed a comprehensive solution… The latest update for the current 4320 McAfee Antivirus Engine DATS drivers (Version 4398 released on Oct 13, 2004) further enhances the protection afforded to McAfee customers against such potential exploits. It should be noted that whilst McAfee takes the potential for this exploit to be used maliciously seriously, to date no evidence of such an exploit has been discovered."

    Islandia, N.Y.-based Computer Associates International Inc. said in a statement, "With the assistance of iDefense, Computer Associates has identified a medium-risk vulnerability in a shared component of eTrust Antivirus which may allow a specially crafted .zip file to bypass virus detection. Customers are encouraged to visit the CA support site for more information about this vulnerability, a list of products and platforms that are effected, and remediation procedures."
  2. rerun2

    rerun2 Registered Member

    Aug 27, 2003
    But how about when the infected file is unzipped/extracted from the zip file? Shouldnt it then be detected?
  3. Mele20

    Mele20 Former Poster

    Apr 29, 2002
    Hilo, Hawaii
    This has been fixed for NOD32:

    "The vulnerability was caused by the fact that some archive
    compression/decompression software (including Winzip) incorrectly
    handles compressed files with deliberately damaged header fields, thus,
    in-fact, allowing creation of the damaged archive files, that could be
    automatically repaired on the victims computer without notifying the

    Eset has made appropriate modifications to archive-scanning code to
    handle such kind of archives immediately after receiving notification
    from iDEFENSE. These changes are contained in archive-support module
    version 1.020, released on 16th September 2004 at 21:00 CET. The update
    was available for all clients with Automatic Virus-Signatures Update
  4. KAV User

    KAV User Guest

    Where does KAV stand on this issue?
  5. ?jram

    ?jram Guest

    I would say all this means is if it scans the archives
    it won't detect it,if you open it,the virus is detected..
    This sound right.
  6. flyrfan111

    flyrfan111 Registered Member

    Jun 1, 2004

    "...this bug for scanners based on 3.x-4.x engines will be fixed in next
    (not current) cumulative update.

    For scanners based on new 5.0 engine we recommend you waiting for the
    release of our next maintenance pack. We are going to release it in
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.