Compression formats, such as the popular .zip, are the bane of the antivirus industry, as unsuspecting users unleash...
worm after worm hidden within compressed files. Now, they pose another threat.
Peter Bieringer, a security consultant at Germany-based network security company AERAsec, says so-called "decompression bombs" cause many popular antivirus engines to crash when they attempt to decompress gigabytes of data and scan hundreds and thousands of files for viruses. The result can be a denial-of-service attack against applications or systems because of the heavy processing load.
According to AERAsec, antivirus products from Trend Micro (fix available), Network Associates, Kaspersky Labs, Sophos, FRISK and AMaVis are prone to the problem. Some Web browsers that support gzip transfers -- including versions of Mozilla, Opera and Konqueror -- are also susceptible.
Bieringer warns that issues can arise any time the decompressor works only in a dump mode. He recommends implementing limits during decompression -- maximum depth of recursive compressed files, the amount of disk/memory-space available and the number of files created -- and adding an anomaly checker with configurable limits.