Attackers could exploit a flaw in multiple antivirus products to create archives with malicious files without being detected, a SecuBox Labs researcher has warned in an advisory.
Silver Spring, Md.-based vulnerability watchdog Security Tracker issued its own set of advisories on the matter, saying, "A remote user can create a specially crafted archive that contains a file with malicious code but will not be detected as containing malicious code until the file in the archive is extracted… An archive that begins with a fake MZ header can trigger the flaw."
Security Tracker said a variety of archive file formats can be used in an exploit, including .rar and .cab.
According to the SecuBox Labs researcher, who goes by the name fRoGGz, those whose products are affected include:
- Kaspersky Lab;
- eTrust Iris and Vet;
- ClamAV; and
- Panda Software.
Other affected products are listed in the advisory.
"An attacker can compress a malicious payload and evade detection by some antivirus software," the researcher said in the SecuBox advisory. "The bypassed malicious content does not pose a risk until extracted from the .rar archive file." Unlike Winzip or BitZipper, which do not authorize the opening of the file, he said Winrar and PowerZip will open and extract it.
The advisory outlines proof-of-concept exploit code and notes that several of the affected antivirus companies have fixed the vulnerability in their products. "We recommend [you] test your system's configuration for more certainty," the advisory said.
Security Tracker and fRoGGz did not immediately return e-mailed requests for additional details.