.TuG.Wizard Posted October 20, 2004 Report Share Posted October 20, 2004 If you use one of the products listed as being vulnerable as your antivirus solution, DO NOT open .zip files until your vendor provides a patch for this issue! iDEFENSE Security Advisory 10.18.04: This vulnerability affects multiple anti-virus vendors including McAfee, Computer Associates, Kaspersky, Sophos, Eset and RAV. II. DESCRIPTION Remote exploitation of an exceptional condition error in multiple vendors? anti-virus software allows attackers to bypass security protections by evading virus detection. The problem specifically exists in the parsing of .zip archive headers. The .zip file format stores information about compressed files in two locations - a local header and a global header. The local header exists just before the compressed data of each file, and the global header exists at the end of the .zip archive. It is possible to modify the uncompressed size of archived files in both the local and global header without affecting functionality. This has been confirmed with both WinZip and Microsoft Compressed Folders. An attacker can compress a malicious payload and evade detection by some anti-virus software by modifying the uncompressed size within the local and global headers to zero. II. ANALYSIS Successful exploitation allows remote attackers to pass malicious payloads within a compressed archive to a target without being detected. Most anti-virus engines have the ability to scan content packaged with compressed archives. As such, users with up-to-date anti-virus software are more likely to open attachments and files if they are under the false impression that the archive was already scanned and found to not contain a virus. IV. DETECTION iDEFENSE has confirmed the existence of this vulnerability in the latest versions of the engines provided by McAfee, Computer Associates, Kaspersky, Sophos, Eset and RAV. The Vendor Responses section of this advisory contains details on the status of specific vendor fixes for this issue. iDEFENSE has confirmed that the latest versions of the engines provided by Symantec, Bitdefender, Trend Micro and Panda are not vulnerable. V. WORKAROUND Filter all compressed file archives (.zip) at border gateways, regardless of content. Link to comment Share on other sites More sharing options...
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now