Avira now affected by Oracle's file converter hole
Avira AntiVir for Exchange, and the Avira Small Business Security Suite and Avira Business Security Suite that contain it, are all vulnerable to the Oracle file conversion holes that were revealed two weeks ago in Oracle's monthly patch day. The holes in Oracle's Outside In library have made a range of third party applications vulnerable to attackers with crafted files in particular formats. A product update for the Exchange package is now available; for the suites, this updated package just needs to be reinstalled.
The path to the admission of this vulnerability is, though, embarrassing for the AV vendor. Avira had initially assured heise Security, The H's associates in Germany, that there was no issue with Avira AntiVir for Exchange because it used the Microsoft Jet Engine and Microsoft Access as a database and was therefore not affected; The H noted this in our related report as an update. A few days later though, and with no further explanation, and Avira has executed an about-face; the initial statement was incorrect and the company is trying to provide updates as soon as possible.