Manipulated archives tamper with Sophos scanners
Specially prepared archives in the Petite, RAR and CHM formats can tamper with virus scanners from Sophos. Archives manipulated in this way can cause the scanner to crash or potentially execute smuggled malicious code.
An update is available for virus scanners on all platforms; it removes a denial of service vulnerability during the processing of Petite archives with a large number of large sectors. Yet it will likely be December before Sophos corrects a flaw through which RAR archives can send antivirus products into an endless loop. Around that same time the software maker intends to close security holes in the processing routines for help files in the CHM format; attackers can use them to provoke buffer overflows that could potentially plant malicious code.
Sophos claims that the vulnerabilities are not yet being actively exploited and that these are only theoretical problems. Users of Sophos virus scanners other than the Small Business version or the Software EM Library are not provided automated updates and hence should manually download and install the new versions.
- Advisory: vulnerabilities reported by iDefense, advisory from Sophos
(ehe)