F-PROT and AVG show vulnerabilities when processing folders
Security expert Thierry Zoller discovered CAB files could be manipulated in such a way that the F-PROT anti-virus scanner no longer inspected their contents. Zoller passed a proof of concept, including a suitably manipulated CAB file to FRISK. FRISK's response was to repeatedly claim that the sample file provided would not unpack using any of the normal un-packers (and presumably therefore was not a threat). Despite sending a carefully checked second sample file, Zoller says he received no further response. FRISK has apparently said the danger of a successful attack on desktop systems is considered to be minor and that the vulnerability should be eliminated in "the next engine released".
The AVG scanner had problems with crafted Zip archives, but the error is reported to have been eliminated in the AVG 8.5 Build 323 scan engine. The update has been available through automatic update since late last week.
- F-PROT CAB bypass / evasion, a Thierry Zoller blog post.
- AVG ZIP bypass / evasion, a Thierry Zoller blog post.