FSC-2009-1: ZIP & RAR Archive Evasion Vulnerability
Brief Description
Malware inside specially crafted archive files remains undetected.
Affected Platforms
All supported platforms
Products
Gateways
Risk Level: HIGH (Low/Medium/High/Critical)
• F-Secure Anti-Virus for Microsoft Exchange 7.10 and earlier
• F-Secure Internet Gatekeeper for Windows 6.61 and earlier
• F-Secure Internet Gatekeeper for Linux 2.16 and earlier
• F-Secure Internet Gatekeeper for Linux Japanese 3.01 and earlier
• Solutions based on F-Secure Protection Service for Business - E-mail and Server security version 8.00 and earlier
Notes
The vulnerability may cause malware to remain undetected and pass through gateway scanners. The vulnerability does not compromise the integrity of the system used to run the product. Note that the Beta and Release Candidate versions of F-Secure Anti-Virus for Microsoft Exchange 8.0 are vulnerable. Users testing these versions are instructed to upgrade to the RTM version which is not vulnerable.
Clients and servers
Risk Level: LOW (Low/Medium/High/Critical)
• F-Secure Internet Security 2009 and earlier
• F-Secure Anti-Virus 2009 and earlier
• F-Secure Client Security 8.0 and earlier
• F-Secure Anti-Virus for Workstations 8.0 and earlier
• F-Secure Linux Security 7.01 and earlier
• F-Secure Anti-Virus Linux Client Security 5.54 and earlier
• Solutions based on F-Secure Protection Service for Consumers version 8.00 and earlier
• Solutions based on F-Secure Protection Service for Business - Workstation security version 8.00 and earlier
• F-Secure Home Server Security 2009
• F-Secure Anti-Virus for Windows Servers 8.00 and earlier
• F-Secure Anti-Virus for Citrix Servers 7.00 and earlier
• F-Secure Linux Security 7.02 and earlier
• F-Secure Anti-Virus Linux Server Security 5.54 and earlier
• F-Secure Anti-Virus for Linux Servers 4.65
• F-Secure Anti-Virus for MIMEsweeper 5.61 and earlier
Notes
The vulnerability affects these products’ ability to scan inside archived files, but may in the worst case delay detection of malware, or enables the user to forward infected files to other systems. The severity is low as these products’ primary purpose is to protect the system they run on rather than stopping malware in transit. These products will not be patched as a direct result of this advisory, but they receive fixes as part of normal version upgrades.
Mitigating Factors
The vulnerability only affects the antivirus software’s ability to scan inside compressed archives. In general, compressed archives are scanned in gateway environments. In a typical configuration, on-access scanning does not scan inside compressed archives. Therefore, the vulnerability is insignificant in client environments.
Attackers can exploit the vulnerability by sending malware inside specially-made compressed file archives to users. At the time of publishing, there are no known exploits.
Patch Available
| Product | Versions | Download |
|---|---|---|
| Solutions based on F-Secure Protection Service for Business - E-mail and Server security | All supported versions | Packages will be available in the update channel, and they are installed automatically. |
| F-Secure Anti-Virus for Microsoft Exchange | 7.10 | ftp://ftp.f-secure.com/support/hotfix/fsav-mse/fsavmse710-05.zip Upgrade to version 8: http://www.f-secure.com/en_EMEA/downloads/product-updates/anti-virus-for-microsoft-exchange/ |
| F-Secure Anti-Virus for Microsoft Exchange | 7.00 | ftp://ftp.f-secure.com/support/hotfix/fsav-mse/fsavmse700-04.zip Upgrade to version 8: http://www.f-secure.com/en_EMEA/downloads/product-updates/anti-virus-for-microsoft-exchange/ |
| F-Secure Anti-Virus for Microsoft Exchange | 6.62 | ftp://ftp.f-secure.com/support/hotfix/fsav-mse/fsavmse662-08.zip Upgrade to version 8: http://www.f-secure.com/en_EMEA/downloads/product-updates/anti-virus-for-microsoft-exchange/ |
| F-Secure Internet Gatekeeper for Windows | 6.61 | ftp://ftp.f-secure.com/support/hotfix/fsig/fsigk661-04.zip |
| F-Secure Internet Gatekeeper for Linux | 2.16 and earlier | Upgrade to version 3.02: http://www.f-secure.com/en_EMEA/downloads/product-updates/internet-gatekeeper-for-linux/ |
| F-Secure Internet Gatekeeper for Linux Japanese | 3.01 and earlier | http://www.f-secure.co.jp/support/menu.html Note: This hotfix is intended only for the Japanese version of the product. |
F-Secure deliver patches to its supported product versions that are vulnerable. See further information on supported products and F-Secure’s Product Lifecycle Policy.
Revision history: FSC-2009-05-06
Date Issued: 2009-05-06
Last Updated: 2009-05-06
