F-Secure virus scanner has problems with malformed archives

F-Secure has published an error report which states that it is possible to outsmart the virus scanner by presenting it with crafted LHA and RAR archives. On encountering certain manipulated archive headers, the scanner is unable to open the file and scan its contents. Any malware in the archive therefore remains undetected. This is particularly problematic when a mail gateway is the sole place where anti-virus is deployed to filter out malware attachments and the user PC is not independently protected. F-Secure does not rule out the possibility that a user program can also open a crafted archive file and execute the contents. However, if a virus scanner is installed on the PC, detection should take place locally once the archive is unpacked.

The following are affected:

F-Secure Anti-Virus for Workstations 7.00
F-Secure Anti-Virus for Windows Servers 7.00
F-Secure Anti-Virus for Citrix Servers 5.52
F-Secure Anti-Virus for MIMEsweeper 5.61
F-Secure Client Security version 7.00
F-Secure Anti-Virus for MS Exchange 7.00
F-Secure Internet Gatekeeper 6.61
F-Secure Internet Security 2005, 2006 und 2007
F-Secure Anti-Virus 2005, 2006 and 2007
Solutions based on F-Secure Protection Service for Consumers 7.00
F-Secure Anti-Virus for Linux Servers 4.65
F-Secure Anti-Virus for Linux Gateways 4.65
F-Secure Linux Client Security 5.52
F-Secure Linux Server Security 5.52
F-Secure Internet Gatekeeper for Linux 2.16

This problem, discovered by security service provider n.runs, is being remedied by an automatically distributed update. F-Secure has already had to patch its anti-virus products once recently, when a buffer overflow was found that allowed injection and execution of code when processing archives.

See also:

• Scan bypass vulnerabilities in handling of specially crafted LHA and RAR archives, error report from n.runs.

(mba)