Security problems in multiple anti-virus products
Symantec has reported a security problem in several of its anti-virus products for business and private users. As a result of a bug, the software can be fooled into overlooking malware when searching through specially crafted archives. The manipulation to create such archives formats them incorrectly, but even so, some applications and unpackers are still able to extract files from them.
This lack of detection is a particular problem at security gateways on network boundaries, with the result that for instance, for businesses, the opportunity of detecting a possible infection threat is reduced to that last line of defence, the anti-virus software on the end user's desktop. This particularly reduces the effectiveness of multi-tier approaches that use different anti-virus products.
Symantec nonetheless categorises the severity of the problem as low and in its security advisory merely provides tips for possible workarounds, rather than releasing an update. Administrators should, for example, change their gateway settings so that damaged archives are discarded. The evaluation of such vulnerabilities is a major point of distinction between different anti-virus product vendors. Last year, F-Secure evaluated the risk from such a vulnerability as high.
FRISK Software International (F-Prot), Norman Data Defense Systems and IKARUS Security Software have recently released updates to resolve similar problems in their products. Problems originally discovered and reported to the vendors by Security specialist Thierry Zoller. Zoller says that Kaspersky also recently issued a silent update to fix a vulnerability which allowed crafted malicious PDF files, opened in Adobe Reader, to bypass its anti-virus software and lead to infection.
According to Zoller, Kaspersky uses a fixed offset when parsing PDF files to determine whether the file begins with the (magical) string %PDF. If the string is not found, the software fails to recognise it as a PDF file. Adobe Reader and Foxit, by contrast, caring nothing for offsets, happily read the crafted files and execute any JavaScript contained within them.
See also:
- Specifically Crafted Archive Files can Bypass Initial Scans, security advisory from Symantec.
- Kaspersky generic PDF evasion, security advisory from Thierry Zoller.
(crve)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
