Article

Security hole in multiple AV products evades notice

Bill Brenner

Attackers could exploit a flaw in multiple antivirus products to create archives with malicious files without being detected, a SecuBox Labs researcher has warned in an advisory.

    Requires Free Membership to View

Silver Spring, Md.-based vulnerability watchdog Security Tracker issued its own set of advisories on the matter, saying, "A remote user can create a specially crafted archive that contains a file with malicious code but will not be detected as containing malicious code until the file in the archive is extracted… An archive that begins with a fake MZ header can trigger the flaw."

Security Tracker said a variety of archive file formats can be used in an exploit, including .rar and .cab.

According to the SecuBox Labs researcher, who goes by the name fRoGGz, those whose products are affected include:

  • Kaspersky Lab;
  • BitDefender;
  • McAfee;
  • Sophos;
  • Symantec;
  • eTrust Iris and Vet;
  • ClamAV; and
  • Panda Software.

Other affected products are listed in the advisory.

"An attacker can compress a malicious payload and evade detection by some antivirus software," the researcher said in the SecuBox advisory. "The bypassed malicious content does not pose a risk until extracted from the .rar archive file." Unlike Winzip or BitZipper, which do not authorize the opening of the file, he said Winrar and PowerZip will open and extract it.

The advisory outlines proof-of-concept exploit code and notes that several of the affected antivirus companies have fixed the vulnerability in their products. "We recommend [you] test your system's configuration for more certainty," the advisory said.

Security Tracker and fRoGGz did not immediately return e-mailed requests for additional details.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: