In association with heise online

14 November 2006, 12:36

Critical vulnerabilities in AVG closed

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The innocuous change log entry "Fixed vulnerabilities in the archives and files parsing engine" belies the repair of several critical security holes as part of an AVG update by Grisoft several weeks ago. Sergio Alvarez from n.runs, who discovered the hole, has issued a security advisory to clear up the matter.

Grisoft in fact removed errors related to the processing of CAB and RAR archives – including integer overruns that could lead to heap-based buffer overflows and the execution of planted code. Word documents could also provoke a division-by-zero error, which minimally could cause a denial of service (by crashing the scanner). Other problems included non-initialised variables in the CAB processing routines and through general integer errors during the analysis of executable EXE files.

AVG versions prior to 7.1.407 are affected. Support for the 7.1 series ends in January 2007, as a pop-up in the older software currently reminds. Anyone still using that version or even older ones can switch to version 7.5, which does not contain the corresponding flaw and which is available for private users in a free version.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit