Attackers could use a .zip file vulnerability in multiple antivirus software products to escape detection, Reston, Va.-based security firm iDefense Inc. warned Monday.
"This vulnerability affects multiple antivirus vendors including McAfee, Computer Associates, Kaspersky, Sophos, Eset and RAV," the company said in an advisory. "Remote exploitation of an exceptional condition error in multiple vendors' antivirus software allows attackers to bypass security protections by evading virus detection."
The problem is in the parsing of .zip archive headers. According to iDefense: "The .zip file format stores information about compressed files in two locations -- a local header and a global header. The local header exists just before the compressed data of each file, and the global header exists at the end of the .zip archive. It is possible to modify the uncompressed size of archived files in both the local and global header without affecting functionality."
This vulnerability has been confirmed with both WinZip and Microsoft compressed folders, the company added. An attacker can compress a malicious payload and evade detection by some antivirus software by modifying the uncompressed size within the local and global headers to zero.
"Successful exploitation allows remote attackers to pass malicious payloads within a compressed archive to a target without being detected," iDefense said in the advisory. "Most antivirus engines have the ability to scan content packaged with compressed archives. As such, users with up-to-date anti-virus software are more likely to open attachments and files if they are under the false impression that the archive was already scanned and found to not contain a virus."
The company said it has confirmed the flaw in the latest versions of engines provided by McAfee, Computer Associates, Kaspersky Labs, Sophos, Eset and RAV. The latest versions of engines provided by Symantec, Bitdefender, Trend Micro and Panda Software are not vulnerable.
As a workaround, iDefense recommends users filter all compressed file archives at border gateways, regardless of content.
The company said it has received responses from several of the vulnerable vendors. Among them:
Santa Clara, Calif.-based McAfee Inc. told iDefense: "McAfee is aware of a proof-of-concept exploitation in .zip archive payloads where information in the local header part of the archive is modified. The techniques used by McAfee to analyze .zip archives have allowed a comprehensive solution… The latest update for the current 4320 McAfee Antivirus Engine DATS drivers (Version 4398 released on Oct 13, 2004) further enhances the protection afforded to McAfee customers against such potential exploits. It should be noted that whilst McAfee takes the potential for this exploit to be used maliciously seriously, to date no evidence of such an exploit has been discovered."
Islandia, N.Y.-based Computer Associates International Inc. said in a statement, "With the assistance of iDefense, Computer Associates has identified a medium-risk vulnerability in a shared component of eTrust Antivirus which may allow a specially crafted .zip file to bypass virus detection. Customers are encouraged to visit the CA support site for more information about this vulnerability, a list of products and platforms that are effected, and remediation procedures."