Security holes in Norman antivirus products
Several vulnerabilities in the antivirus solutions by Norman can be exploited by attackers to inject infected files, bypassing the scanner, or to execute arbitrary code on a target system. According to advisories by security service provider n.runs, the Norman parser fails to detect some malware in DOC files or crashes due to a divide-by-zero vulnerability triggered during DOC file parsing. Also, three buffer overflow vulnerabilities triggered during LZH archive parsing can be used to inject and execute arbitrary code, whether or not the recipient is able to process LZH archives. An attack can be effected as soon as the scanner reads in an infected e-mail attachment. n.runs has reported a similar problem with one buffer overflow vulnerability for ACE archives.
According to the advisory, affected versions include scanner engine 5.90 and prior versions. At least the DOC parsing bugs have been patched with version 5.91.02 which has been released mid-June. The four critical buffer overflows still exist in the new version. n.runs does not suggest a workaround for these problems.
The security provider has published this information, although no patch has been released yet. Norman’s response to n.runs’ notifications might be the reason for this course of action. Overall, communication between n.runs and Norman was rather ill-fated. First, encrypted communication failed; according to n.runs, Norman used an incompatible PGP version. Instead, confidential information was sent via a password-protected RAR archive.
Other mails did not comply with n.runs’ Security Vulnerability Reporting Policy (RFP), since Norman did not agree to publish its own security advisories on the vulnerabilities. Consequently, n.runs could not be credited for its findings, although Norman had accepted proof-of-concept exploits, thereby implicitly accepting the RFP regulating the whole process, from notifying the vendor to testing patches to a joint announcement of the vulnerability. n.runs accuses the vendor of having played possum, so that the advisories were released in an uncoordinated manner.
- Norman Antivirus DOC parsing Divide by Zero Advisory security advisory by n.runs
- Norman Antivirus ACE parsing Arbitrary Code Execution Advisory security advisory by n.runs
- Norman Antivirus LZH parsing Arbitrary Code Execution Advisory security advisory by n.runs
- Norman Antivirus DOC parsing Detection Bypass Advisory security advisory by n.runs