Avast Antivirus patch Archives
Avast Antivirus patch Archives
Bulletin (SB05-208)
This document is part of the US-CERT website archive. These documents are no longer updated and may contain outdated information. Links may also no longer function. Please contact info@us-cert.gov if you have any questions about the US-CERT website archive.
Summary of Security Items from July 20 through July 26, 2005
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.
Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
- High: vulnerabilities with a CVSS base score of 7.0–10.0
- Medium: vulnerabilities with a CVSS base score of 4.0–6.9
- Low: vulnerabilities with a CVSS base score of 0.0–3.9
Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis.
Information in the US-CERT Cyber Security Bulletin is a compilation and includes information published by outside sources, so the information should not be considered the result of US-CERT analysis. Software vulnerabilities are categorized in the appropriate section reflecting the operating system on which the vulnerability was reported; however, this does not mean that the vulnerability only affects the operating system reported since this information is obtained from open-source information.
This bulletin provides a summary of new or updated vulnerabilities, exploits, trends, viruses, and trojans. Updates to vulnerabilities that appeared in previous bulletins are listed in bold text. The text in the Risk column appears in red for vulnerabilities ranking High. The risks levels applied to vulnerabilities in the Cyber Security Bulletin are based on how the "system" may be impacted. The Recent Exploit/Technique table contains a "Workaround or Patch Available" column that indicates whether a workaround or patch has been published for the vulnerability which the script exploits.
Vulnerabilities
The table below summarizes vulnerabilities that have been identified, even if they are not being exploited. Complete details about patches or workarounds are available from the source of the information or from the URL provided in the section. CVE numbers are listed where applicable. Vulnerabilities that affect both Windows and Unix Operating Systems are included in the Multiple Operating Systems section.Note: All the information included in the following tables has been discussed in newsgroups and on web sites.
The Risk levels defined below are based on how the system may be impacted:
Note: Even though a vulnerability may allow several malicious acts to be performed, only the highest level risk will be defined in the Risk column.
- High - A high-risk vulnerability is defined as one that will allow an intruder to immediately gain privileged access (e.g., sysadmin or root) to the system or allow an intruder to execute code or alter arbitrary system files. An example of a high-risk vulnerability is one that allows an unauthorized user to send a sequence of instructions to a machine and the machine responds with a command prompt with administrator privileges.
- Medium - A medium-risk vulnerability is defined as one that will allow an intruder immediate access to a system with less than privileged access. Such vulnerability will allow the intruder the opportunity to continue the attempt to gain privileged access. An example of medium-risk vulnerability is a server configuration error that allows an intruder to capture the password file.
- Low - A low-risk vulnerability is defined as one that will provide information to an intruder that could lead to further compromise attempts or a Denial of Service (DoS) attack. It should be noted that while the DoS attack is deemed low from a threat potential, the frequency of this type of attack is very high. DoS attacks against mission-critical nodes are not included in this rating and any attack of this nature should instead be considered to be a "High" threat.
Windows Operating Systems Only | ||||
Vendor & Software Name | Vulnerability - Impact Patches - Workarounds Attacks Scripts | Common Name / CVE Reference | ||
Alwil Software Avast! Antivirus V Home/Pro 4.6691, Server 4.6.489, Client 4.6.394 | A buffer overflow/ directory traversal vulnerability has been reported in Avast! Antivirus (UNACEV2.dll) that could let remote malicious users write files or execute arbitrary code. Vendor updates available: Currently we are not aware of any exploits for this vulnerability. | Secunia, Advisory: SA15776, July 21, 2005 | ||
Ares V1.1 | A buffer overflow has been reported in Ares that could let remote malicious users execute arbitrary code. No workaround or patch available at time of publishing. Currently we are not aware of any exploits for this vulnerability. | Ares Arbitrary Code Execution | Security Focus, 14377, July 25, 2005 | |
Elemental Software CartWIZ V1.20 | A vulnerability has been reported in CartWIZ that could let remote malicious users perform cross site scripting. No workaround or patch available at time of publishing. A Proof of Concept exploit has been published. | Security Focus, 14386, July 26, 2005 | ||
FTPShell FTPShell Server V3.38 | A vulnerability has been reported in FTPShell that could allow remote malicious user perform a denial of service. No workaround or patch available at time of publishing. Exploit scripts have been published. | FTPshell Server Denial of Service | Secunia, Advisory: SA16189, July 26, 2005 | |
GoodTech Systems GoodTech SMTP Server V5.16 | A buffer overflow vulnerability has been reported in GoodTech SMTP Server (RCPT TO command) that could let remote malicious users execute arbitrary code. Upgrade to version 5.17: There is no exploit code required; however, Proof of Concept exploits have been published. | SecurityTracker Alert ID: 1014561, July 24, 2005 | ||
Key Focus KF Web Server V2.5.0 | A vulnerability has been reported in KF Web Server that could let remote malicious users disclose directory listings. No workaround or patch available at time of publishing. There is no exploit code required; however, Proof of Concept exploits have been published. | KF Web Server Directory Listings Disclosure | SecurityTracker Alert ID: 1014559, July 22, 2005 | |
Microsoft JView Profiler | A vulnerability has been reported in JView Profiler that could let remote malicious users execute arbitrary code. Vendor updates available: V1.1: JView Profiler FAQ concerning Javaprxy.dll detection, and update of title reflect all supported versions of Windows 2000. There is no exploit code required; however, a Proof of Concept exploit has been published. | Microsoft JView Profiler Arbitrary Code Execution CAN-2005-2087 | Microsoft Security Bulletin MS05-037, July 12, 2005 USCERT, Vulnerability Note VU#939605, July 12, 2005 Microsoft Security Bulletin MS05-037 V1.1, July 20, 2005 | |
Microsoft Windows Color Management Module | A vulnerability has been reported in Windows Color Management Module that could let remote malicious users cause a buffer overflow, execute arbitrary code, or take complete control of a system. Vendor updates available: V1.1: Restart requirement information updated. Currently we are not aware of any exploits for this vulnerability. | Microsoft Windows Color Management Module Buffer Overflow or Arbitrary Code Execution CAN-2005-1219 | Microsoft Security Bulletin MS05-036, July 12, 2005 USCERT, Vulnerability Note VU#720742, July 12, 2005 Microsoft Security Bulletin MS05-036 V1.1, July 20, 2005 | |
Microsoft Windows USB Driver | A buffer overflow vulnerability has been reported in Windows USB Driver that could allow local malicious users to execute arbitrary code. No workaround or patch available at time of publishing. Currently we are not aware of any exploits for this vulnerability. | Security Focus, 14376, July 25, 2005 | ||
SPIDynamics WebInspect V5 | A vulnerability has been reported in WebInspect that could let remote malicious users perform cross site scripting. No workaround or patch available at time of publishing. There is no exploit code required; however, a Proof of Concept exploit has been published. | WebInspect Cross Site Scripting | Secunia Advisory: SA16191, July 26, 2005 | |
Veritas NetBackup V5.1 | A vulnerability has been reported in NetBackup that could let local malicious users perform a denial of service. No workaround or patch available at time of publishing. Currently we are not aware of any exploits for this vulnerability. | Secunia, Advisory: SA16187, July 25, 2005 | ||
WhitSoft Development SlimFTPd V3.16 | A buffer overflow vulnerability has been reported in SlimFTPd (List, Dele and Rnfr commands), that could let remote malicious users execute arbitrary code. Upgrade to version 3.17: There is no exploit code required. | Secunia, Advisory: SA16177, July 22, 2005 |
[back to top]
UNIX / Linux Operating Systems Only | ||||
Vendor & Software Name | Vulnerability - Impact Patches - Workarounds Attacks Scripts | Common Name / CVE Reference | ||
Clam AntiVirus V0.86.1 | Multiple vulnerability have been reported in Clam AntiVirus that could let remote malicious users cause a denial of service. Upgrade to version 0.86.2: Currently we are not aware of any exploits for this vulnerability. | Clam AntiVirus Multiple Vulnerabilities | Low | Secunia, Advisory: SA16180, July 25, 2005 |
Dnsmasq Dnsmasq 2.0-2.20 | Multiple vulnerabilities have been reported: a buffer overflow vulnerability has been reported due to an off-by-one error when reading the DHCP lease file, which could let a remote malicious user cause a Denial of Service; and a vulnerability has been reported when receiving DNS replies due to insufficient validation, which could let a remote malicious user poison the DNS cache. Upgrades available at: Gentoo: Slackware: Currently we are not aware of any exploits for these vulnerabilities. | Security Focus, Gentoo Linux Security Advisory, GLSA 200504-03, April 4, 2005 Slackware Security Advisory, SSA:2005-201-01, July 21, 2005 | ||
Domain Name Relay Daemon V2.19 | A buffer overflow vulnerability has been reported in Domain Name Relay Daemon (DNRD) that could let remote malicious users execute arbitrary code. No workaround or patch available at time of publishing. Currently we are not aware of any exploits for this vulnerability. | Domain Name Relay Daemon Arbitrary Code Execution CAN-2005-2315 | High | SecurityTracker, Alert ID: 1014557, July 22, 2005 |
Eric Raymond Fetchmail 6.2.5 | A remote buffer overflow vulnerability has been reported in the POP3 client due to insufficient boundary checks, which could let a malicious user obtain elevated privileges. Fedora: Redhat: Ubuntu: Gentoo: Currently we are not aware of any exploits for this vulnerability. | Fedora Update Notifications, Redhat Security Advisory, RHSA-2005:640-08, July 25, 2005 Ubuntu Security Notice, USN-153-1, July 26, 2005 Gentoo Security Advisory, GLSA 200507-21, July 25, 2005 | ||
FreeBSD FreeBSD 5.3, 5.4 | A vulnerability was reported in FreeBSD in the devfs(5) device file system due to insufficient validation of the node type parameter when a device is created, which could let a malicious user obtain ROOT access. Patches available at: Currently we are not aware of any exploits for this vulnerability. | FreeBSD Security Advisory, FreeBSD-SA-05:17, July 20, 2005 | ||
Gentoo Sandbox | Multiple vulnerabilities have been reported in Sandbox that could allow a local malicious user to create temporary files. Update available: There is no exploit code required. | Gentoo Sandbox File Creation | Medium | Gentoo Security Advisory, GLSA 200507-22, July 25, 2005 |
GNU cpio 1.0-1.3, 2.4.2, 2.5, 2.5.90, 2.6 | A vulnerability has been reported when an archive is extracted into a world or group writeable directory because non-atomic procedures are used, which could let a malicious user modify file permissions. Trustix: Mandriva: RedHat: There is no exploit code required. | Bugtraq, 395703, Trustix Secure Linux Security Advisory, TSLSA-2005-0030, June 24, 2005 Mandriva RedHat Security Advisory, RHSA-2005:378-17, July 21, 2005 | ||
GNU gzip 1.2.4 a, 1.2.4, 1.3.3-1.3.5 | A Directory Traversal vulnerability has been reported due to an input validation error when using 'gunzip' to extract a file with the '-N' flag, which could let a remote malicious user obtain sensitive information. Ubuntu: Trustix: Gentoo: IPCop: Mandriva: TurboLinux: FreeBSD: OpenPKG: RedHat: SGI: Conectiva: Debian: Sun: Proof of Concept exploit has been published. | Bugtraq, 396397, April 20, 2005 Ubuntu Security Notice, Trustix Secure Linux Security Advisory, Gentoo Linux Security Advisory, GLSA 200505-05, May 9, 2005 Security Focus,13290, May 11, 2005 Mandriva Linux Security Update Advisory, MDKSA-2005:092, May 19, 2005 Turbolinux Security Advisory, TLSA-2005-59, June 1, 2005 FreeBSD OpenPKG Security Advisory, OpenPKG-SA-2005.009, June 10, 2005 RedHat Security Advisory, SGI Security Advisory, 20050603-01-U, June 23, 2005 Conectiva Linux Announce-ment, CLSA-2005:974, July 6, 2005 Debian Security Advisory DSA 752-1, July 11, 2005 Sun(sm) Alert Notification | ||
GNU gzip 1.2.4, 1.3.3 | A vulnerability has been reported when an archive is extracted into a world or group writeable directory, which could let a malicious user modify file permissions. Ubuntu: Trustix: Gentoo: Mandriva: TurboLinux: FreeBSD: RedHat: SGI: Conectiva: Debian: Sun: There is no exploit code required. | Security Focus, Ubuntu Security Notice, Trustix Secure Linux Security Advisory, Gentoo Linux Security Advisory, GLSA 200505-05, May 9, 2005 Mandriva Linux Security Update Advisory, MDKSA-2005:092, Turbolinux Security Advisory, TLSA-2005-59, June 1, 2005 FreeBSD Security Advisory, FreeBSD-SA-05:11, June 9, 2005 RedHat Security Advisory, SGI Security Advisory, 20050603-01-U, June 23, 2005 Conectiva Linux Announce-ment, CLSA-2005:974, July 6, 2005 Debian Security Advisory DSA 752-1, July 11, 2005 Sun(sm) Alert Notification | ||
GNU zgrep 1.2.4 | A vulnerability has been reported in 'zgrep.in' due to insufficient validation of user-supplied arguments, which could let a remote malicious user execute arbitrary commands. A patch for 'zgrep.in' is available in the following bug report: Mandriva: TurboLinux: RedHat: RedHat: SGI: Fedora: SGI: F5: There is no exploit code required. | Security Tracker Alert, 1013928, Mandriva Linux Security Update Advisory, Turbolinux RedHat Security Advisory, RedHat Security Advisory, SGI Security Advisory, 20050603-01-U, June 23, 2005 Fedora Update Notification, SGI Security Advisory, 20050605 Secunia Advisory: SA16159, July 21, 2005 | ||
Hobbit Monitor V4.0.4 | A vulnerability has been reported in Hobbit Monitor that could let local malicious users perform a denial of service. Upgrade to version 4.1.0: Currently we are not aware of any exploits for this vulnerability. | Hobbit Monitor Denial of Service | Low | Secunia, Advisory: SA16179, July 25, 2005 |
KDE KDE 3.4, 3.3-3.3.2, 3.2-3.2.3 | A vulnerability has been reported in KDE Kate and KWrite because backup files are created with default permissions even if the original file had more restrictive permissions set, which could let a local/remote malicious user obtain sensitive information. Patches available at: Fedora: Mandriva: There is no exploit code required. | KDE Kate, CAN-2005-1920 | Security Tracker Alert ID: 1014512, July 18, 2005 Fedora Update Notification, Mandriva Linux Security Update Advisory, MDKSA-2005:122, July 20, 2005 | |
LBL tcpdump 3.4 a6, 3.4, 3.5, alpha, 3.5.2, 3.6.2, 3.6.3, 3.7-3.7.2, 3.8.1 -3.8.3; IPCop 1.4.1, 1.4.2, 1.4.4, 1.4.5 | Remote Denials of Service vulnerabilities have been reported due to the way tcpdump decodes Border Gateway Protocol (BGP) packets, Label Distribution Protocol (LDP) datagrams, Resource ReSerVation Protocol (RSVP) packets, and Intermediate System to Intermediate System (ISIS) packets. Fedora: Trustix: Ubuntu: Gentoo: Mandriva: IPCop: FreeBSD: Avaya: TurboLinux: SUSE: F5: Exploit scripts have been published. | Bugtraq, Fedora Update Notification, Trustix Secure Ubuntu Security Notice, Gentoo Linux Security Advisory, GLSA 200505-06, May 9, 2005 Mandriva Linux Security Update Advisory, Security Focus, 13392, May 12, 2005 FreeBSD Security Advisory, Avaya Security Advisory, Turbolinux SUSE Security Summary Security Focus, 13392, July 21, 2005 | ||
Multiple Vendors OpenLDAP 2.1.25; Padl Software pam_ldap Builds 166, 85, 202, 199, 198, 194, 183-192, 181, 180, 173, 172, 122, 121, 113, 107, 105 | A vulnerability has been reported in OpenLDAP, 'pam_ldap,' and 'nss_ldap' when a connection to a slave is established using TLS and the client is referred to a master, which could let a remote malicious user obtain sensitive information. Trustix: Gentoo: Mandriva: Ubuntu: There is no exploit code required. | Trustix Secure Gentoo Linux Security Mandriva Linux Security Update Advisory, Ubuntu Security Notice, USN-152-1, July 21, 2005 | ||
Multiple Vendors Larry Wall Perl 5.0 05_003, 5.0 05, 5.0 04_05, 5.0 04_04, 5.0 04, 5.0 03, 5.6, 5.6.1, 5.8, 5.8.1, 5.8.3, 5.8.4 -5, 5.8.4 -4, 5.8.4 -3, 5.8.4 -2.3, 5.8.4 -2, 5.8.4 -1, 5.8.4, 5.8.5, 5.8.6 | A vulnerability has been reported in the 'rmtree()' function in the 'File::Path.pm' module when handling directory permissions while cleaning up directories, which could let a malicious user obtain elevated privileges. A fixed version (5.8.4 or later) is available at: Ubuntu: Gentoo: Debian: TurboLinux: Mandrake: HP: Fedora: Currently we are not aware of any exploits for this vulnerability. | Ubuntu Security Notice, USN-94-1 March 09, 2005 Gentoo Linux Security Advisory [UPDATE], GLSA 200501-38:03, March 15, 2005 Debian Security Advisory, DSA 696-1 , March 22, 2005 Turbolinux Security Advisory, TLSA-2005-45, April 19, 2005 Mandriva Linux Security Update Advisory, MDKSA-2005:079, April 29, 2005 HP Security Bulletin, HPSBUX01208, June 16, 2005 Secunia, Advisory: SA16193, July 25, 2005 | ||
Multiple Vendors zlib 1.2.2, 1.2.1, 1.2 .0.7, 1.1-1.1.4, 1.0-1.0.9; Ubuntu Linux 5.0 4, powerpc, i386, amd64, 4.1 ppc, ia64, ia32; SuSE Open-Enterprise-Server 9.0, Novell Linux Desktop 9.0, Linux Professional 9.3, x86_64, 9.2, x86_64, 9.1, x86_64, Linux Personal 9.3, x86_64, 9.2, x86_64, 9.1, x86_64, Linux Enterprise Server 9; Gentoo Linux; | A buffer overflow vulnerability has been reported due to insufficient validation of input data prior to utilizing it in a memory copy operation, which could let a remote malicious user execute arbitrary code. Debian: FreeBSD: Gentoo: SUSE: Ubuntu: Mandriva: OpenBSD: OpenPKG: RedHat: Trustix: Slackware: TurboLinux: Fedora: zsync: Currently we are not aware of any exploits for this vulnerability. | Debian Security Advisory FreeBSD Security Advisory, Gentoo Linux Security Advisory, GLSA 200507- SUSE Security Announcement, SUSE-SA:2005:039, Ubuntu Security Notice, RedHat Security Advisory, RHSA-2005:569-03, Fedora Update Notifications, Mandriva Linux Security Update Advisory, OpenPKG Trustix Secure Slackware Security Turbolinux Security Fedora Update Notification, FEDORA-2005-565, July 13, 2005 SUSE Security Summary Security Focus, 14162, July 21, 2005 USCERT Vulnerability Note VU#680620, July 22, 2005 | ||
Multiple Vendors zlib 1.2.2, 1.2.1; Ubuntu Linux 5.04 powerpc, i386, amd64, 4.1 ppc, ia64, ia32; | A remote Denial of Service vulnerability has been reported due to a failure of the library to properly handle unexpected compression routine input. Zlib: Debian: Ubuntu: OpenBSD: Mandriva: Fedora: Slackware: Currently we are not aware of any exploits for this vulnerability. | Multiple Vendor Zlib Compression Library Decompression Remote Denial of Service CAN-2005-1849 | Security Focus, 14340, July 21, 2005 Debian Security Advisory DSA 763-1, July 21, 2005 Ubuntu Security Notice, USN-151-1, July 21, 2005 OpenBSD, Release Errata 3.7, July 21, 2005 Mandriva Security Advisory, MDKSA-2005:124, July 22, 2005 Secunia, Advisory: SA16195, July 25, 2005 Slackware Security Advisory, SSA:2005-203-03, July 22, 2005 | |
Multiple Vendors dhcpcd 1.3.22 | A vulnerability has been reported in dhcpcd that could let a remote user perform a Denial of Service. Debian: Mandriva: Gentoo: Conectiva: Currently we are not aware of any exploits for this vulnerability. | dhcpcd Denial of Service CAN-2005-1848 | Low | Secunia, Advisory: SA15982, July 11, 2005 Debian Security Advisory, DSA 750-1, July 11, 2005 Mandriva Linux Security Update Advisory, MDKSA-2005:117, July 13, 2005 Gentoo Linux Security Advisory, GLSA 200507-16, July 15, 2005 Conectiva, CLSA-2005:983, July 25, 2005 |
Multiple Vendors KDE kopete 0.9-0.9.3, 3.4, 3.4.1, 3.3-3.3.2, 3.2.3; Wojtek Kaniewski ekg 1.1-1.6 rc1&rc2, 2005-06-05 22:03, 2005-04-11 | Multiple vulnerabilities have been reported in 'libgadu.c' due to input validation errors and an integer overflow, which could let a remote malicious user cause a Denial of Service or execute arbitrary code. EKG KDE: Fedora: Slackware: Gentoo: Currently we are not aware of any exploits for these vulnerabilities. | Security Tracker Alert ID: 1014539, July 21, 2005 Secunia, Advisory: SA16194, July 25, 2005 Slackware Security Advisory, SSA:2005-203-02, July 22, 2005 Gentoo Security Advisory, GLSA 200507-23 kopete, July 25, 2005 | ||
netpbm V10.0 | A vulnerability has been reported in netpbm ('-dSAFER') that could let malicious users execute arbitrary postscript code. No workaround or patch available at time of publishing. There is no exploit code required. | netpbm Arbitrary Code Execution | High | Secunia Advisory: SA16184, July 25, 2005 |
Netquery V3.1 | Multiple vulnerabilities have been reported in Netquery that could allow a remote malicious user to perform cross site scripting, execute arbitrary code, or disclose information. No workaround or patch available at time of publishing. There is no exploit code required; however, Proof of Concept exploits have been published. | Netquery Multiple Vulnerabilities | High | Security Focus, 14373, July 25, 2005 |
ProFTPd | Multiple format string vulnerabilities have been reported in ProFTPd that could let remote malicious users cause a denial of service or disclose information. Upgrade to version 1.3.0rc2: Currently we are not aware of any exploits for this vulnerability. | ProFTPD Denial of Service or Information Disclosure | Medium | Secunia, Advisory: SA16181, July 26, 2005 |
pstotext V1.9 | A vulnerability has been reported in pstotext ('-dSAFER') that could let malicious users execute arbitrary postscript code. No workaround or patch available at time of publishing. There is no exploit code required. | pstotext Arbitrary Code Execution | High | Secunia, Advisory: SA16183, July 25, 2005 |
Raxnet Cacti 0.x | Several vulnerabilities have been reported: an SQL injection vulnerability was reported in 'config_settings.php' due to insufficient sanitization of the 'id' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code; and a vulnerability was reported in 'congif_settings.php' due to insufficient sanitization of the 'config[include_path]' parameter and in 'top_graph_header.php' due to insufficient sanitization of the 'config[library_path]' parameter, which could let a remote malicious user execute arbitrary code. Upgrades available at: Gentoo: Conectiva: SUSE: Debian: An exploit script has been published. | Secunia Gentoo Linux Security Advisory, GLSA 200506- Conectiva SUSE Security Summary Debian Security Advisory, DSA 764-1, July 21, 2005 | ||
Raxnet Cacti prior to 0.8.6f | Multiple SQL injection vulnerabilities have been reported in the input filters due to insufficient sanitization of user-supplied input before using in SQL queries, which could let a remote malicious user execute arbitrary SQL code; a vulnerability was reported in the 'graph_image.php' script due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary code; and a vulnerability was reported because 'session_start()', and 'addslashes()' can be prevented from being called due to a design error, which could let a remote malicious user obtain administrative access. Upgrades available at: Debian: There is no exploit code required. | Hardened - PHP Project Security Advisory, July 1, 2005 Debian Security Advisory, DSA 764-1, July 21, 2005 | ||
SCO UnixWare Portmapper | A vulnerability has been reported in UnixWare Portmapper that could let remote malicious users cause a denial of service. No workaround or patch available at time of publishing. Currently we are not aware of any exploits for this vulnerability. | UnixWare Portmapper Denial of Service CAN-2005-2132 | Low | Security Focus, 14360, July 25, 2005 |
Shorewall Shorewall 2.0.x, 2.2.x, 2.4.x | A vulnerability has been reported due to a failure to properly implement expected firewall rules for MAC address-based filtering, which could let a remote malicious user bypass firewall rules. Hotfixes available at: Mandriva: There is no exploit code required. | Secunia Advisory: SA16087, Mandriva Linux Security Update Advisory, MDKSA-2005:123, July 21, 2005 | ||
Vim V6.3.082 | A vulnerability has been reported in Vim that could let remote malicious users execute arbitrary code. Vendor patch available: There is no exploit code required; however, Proof of Concept exploits have been published. | Vim Arbitrary Code Execution CAN-2005-2368 | High | Security Focus, 14374, July 25, 2005 |
xine gxine 0.4.0-0.4.4 | A format string vulnerability has been reported due to insecure implementation of a formatted printing function, which could let a remote malicious user execute arbitrary code. Gentoo: Slackware: Currently we are not aware of any exploits for this vulnerability. | pst.advisory, May 21, 2005 Gentoo Linux Security Advisory, GLSA 200505-19, May 26, 2005 Slackware Security Advisory, SSA:2005-203-04, July 22, 2005 |
[back to top]
Multiple Operating Systems - Windows / UNIX / Linux / Other | ||||
Vendor & Software Name | Vulnerability - Impact Patches - Workarounds Attacks Scripts | Common Name / CVE Reference | ||
3Com OfficeConnect Wireless 11g Access Point | A vulnerability has been reported in OfficeConnect Wireless 11g Access Point which could let malicious users disclose information. Update to 1.03.12: There is no exploit code required. | Secunia, Advisory: SA16207, July 25, 2005 | ||
All Enthusiast, Inc. ReviewPost 2.0 | An SQL injection vulnerability has been reported in 'Showproduct.PHP' due to insufficient sanitization of the 'sort' parameter, which could let a remote malicious user execute arbitrary SQL code. No workaround or patch available at time of publishing. There is no exploit code required. | All Enthusiast ReviewPost 'Showproduct.PHP' SQL Injection | Secunia Advisory: SA16134, July 20, 2005 | |
Apache | A vulnerability has been reported in Apache which can be exploited by remote malicious user to smuggle http requests. Conectiva: Currently we are not aware of any exploits for these vulnerabilities. | Apache HTTP Request Smuggling Vulnerability CAN-2005-1268 | Secunia, Advisory: SA14530, July 26, 2005 Conectiva, CLSA-2005:982, July 25, 2005 | |
ASN Guestbook V1.5 | A vulnerability has been reported in ASN Guestbook that could allow remote malicious users to conduct cross site scripting. No workaround or patch available at time of publishing. There is no exploit code required; however, Proof of Concept exploits have been published. | ASN Guestbook Cross Site Scripting | Secunia, Advisory: SA16202, July 25, 2005 | |
Atomic Photo Album V1.0.5 | A vulnerability has been reported in Atomic Photo Album ('apa_module_basedir' in apa_phpinclude.inc.php) that could allow remote malicious user to include arbitrary files. No workaround or patch available at time of publishing. There is no exploit code required; however, Proof of Concept exploits have been published. | Atomic Photo Album Arbitrary File Inclusion | Secunia, Advisory: SA16201, July 26, 2005 | |
Blue Coat Systems All CacheOS systems, SGOS systems (SGOS 2.1.11 and earlier, SGOS 3.2.4 and earlier, SGOS 4.1.1), | A remote Denial of Service vulnerability has been reported due to insufficient validation of TCP sequence numbers in ICMP error messages. SGOS 3.2.5: Currently we are not aware of any exploits for these vulnerabilities. | Blue Coat TCP ICMP Message Sequence Numbers Denial of Service CAN-2005-0065 | Security Tracker Alerts, 1014531, 1014532, 1014533, & 1014534, July 20, 2005 | |
CMSimple Content Management System 2.4 Beta 1- Beta 5, 2.4 Beta, 2.3, Beta 1- Beta 5, 2.2, Beta 1-Beta 4, 2.1, 2.0 Beta 1- Beta 4, 1.3 Beta 1 & Beta 2, 1.0-1.2 , Beta 1 & 2 | A Cross-Site Scripting vulnerability has been reported in 'Index.php' due to insufficient sanitization of the 'search' parameter, which could let a remote malicious user execute arbitrary HTML and script code. Update available at: There is no exploit code required; however, a Proof of Concept exploit script has been published. | Security Focus, 14346, July 21, 2005 | ||
CMSimple V2.4 | An input validation vulnerability has been reported in CMSimple ('index.php') that could let remote malicious users perform cross site scripting. Vendor fix available: |
PROTOS_Test-Suite_c10-archive
Abstract
Archive formats are used to serialise a set of files and directories into a single byte stream, usually applying a form of compression in the process. The archive files can then be stored or transmitted on various media conveniently and economically, and later extracted. The use of archiving formats is ubiquitous in transmitting files over email and in distribution of software, among other areas.
The present set of archive formats were chosen as the subject protocols for vulnerability assessment through structure inference directed fuzzing and test suite creation.
A list of frequently observed archiving formats was drawn up. Test material was prepared and tests were carried out against a sample set of existing anti-virus programs. Results were gathered and reported.
Most of the implementations available for evaluation failed to perform in a robust manner under test. Some failures had information security implications, and should be considered as vulnerabilities.
In order to achieve a robustness baseline for archival products, this test material should be adopted for their evaluation and development. Anti-virus and other security products employing archive formats should be considered the most important subjects in this respect.
This test suite is a byproduct of the [Genome] project, hereby referred as GENOME. The test suite contains a set of fuzzed archive files in different formats, some of which may cause and some are known to cause problems for example in common decompression and anti-virus tools.
This test suite covers a limited set of information security and robustness related implementation errors for subsets of the chosen protocols. The subject protocols, along with their scrutinised subsets, are illustrated in the Analysis section below.
The purpose of this test suite is to evaluate implementation level security and robustness of programs handling archive files of different formats. Archive formats were considered a viable topic for a test suite due to the following factors:
- The complexity involved in parsing different file formats has historically been found to beget vulnerability. Archive formats were thought to be similar in this respect.
- The use of archive formats encompasses computing. In other words - there are various different implementations and a myriad of installations. As a result, the impact of an archive vulnerability can be significant.
- The methods developed in the GENOME project facilitate test suite creation so that multiple formats can be covered with relative ease. Thus the scope of the test suite can be extensive.
- Many archive formats have a long history, which has given their implementations plenty of time to mature and harden with respect to implementation level errors. Evaluating such mature products should provide us useful feedback on the current state of implementation level robustness in general.
- Processing archive formats may have a long family tree where versions of archiving code have been forked or copied into different projects, which might not have incorporated the fixes for bugs to shared code found in other branches of the family tree.
The field of archive formats was analysed with the methods of OUSPG's MATINE project. The focus of this analysis was on the different formats and their specifications, their different technical and organisational uses and prior security issues affecting them. The analysis methods lay weight on issues regarding the history of code and specifications (inheritance, re-use), historical data on the usage and prevalence of different implementations and expert opinion.
The analysis highlighted anti-virus software as representative, or topical, subject for this test suite. Motivation for producing test material targeted at ensuring robustness of anti-virus tools include:
- Anti-virus tools by definition process input from potentially malicious sources.
- Anti-virus tools parse a wide variety of different data formats. Due to their nature, they have to process each file in a system, including archived content.
- Anti-virus tools run at high privileges, increasing the impact of potential compromise.
- Anti-virus tools are commonly installed organisation-wide on all able computers, including (or especially) on computers in critical and high-profile roles.
- Usage of Anti-virus tools is commonly mandated by organisational policy, contract and other administrative and/or legal requirements. US HIPAA legislation [1] is commonly interpreted to mandate use of anti-virus software.
It was noted that anti-virus tools parse many different kinds of data, and this test material, being limited to archive formats only, can only serve as a decent first aid for related vulnerability assessment. A proper security evaluation of anti-virus software would involve scrutinising a much greater set of file formats.
In this test-suite, the focus was set on the certain archive formats, namely ACE, ARJ, BZ2, CAB, GZ, LHA, RAR, TAR, ZIP and ZOO. This set encompasses the most commonly used archive formats.
The specifications for the archive file formats are in some cases available. However, since there are many versions and variants of many of the formats, and there are in many cases no formal easily processable specifications of the contents, basing testing on this knowledge would require too much human time. On the other hand, purely random changes can be applied to sample files, or purely random data can be used, to blindly test the behaviour of programs. This approach generally requires too much computer time. The GENOME approach does not require manual modeling of the tested protocol/file format, unlike the PROTOS Classic[2] approach of test suite development.
Most of the files in the test suite have been built using an intelligently automated combination of the approaches stated above. A set of valid files is first collected. A program is then used to analyse the structure of these files, yielding a rough model of the underlying file format. This model is then used to generate similar files, which often have modifications that would be extremely unlikely to appear, were one to use purely random methods. Because most of the testing and processing involved in building a test set is automatic, we were able to test a fairly large set of file formats.
The test suite can be used as robustness testing material for programs that process corresponding file formats. Usually programs should simply report that the files are invalid and resume operation in a controlled manner. For example program termination, altered behaviour and infinite loops indicate unintentional and in many cases exploitable errors.
Subject Survey
Freely available and evaluation versions of some common UNIX-based anti-virus products were selected as test subjects, and the common archive formats processed by the tools were selected for testing.
No sample list of implementations is presented herein. A large number of vendors include anti-virus or archive products in their product portfolios. A list of vendors with anti-virus products or archive products may include at least Alwil, Apple Computer, Avira, Cisco Systems, Comodo, Computer Associates, F-Secure, FRISK Software, Grisoft, Hewlett-Packard, IBM, ?McAfee, ?MicroWorld, Microsoft, Norman, Norton, Novatix, Panda Software, Pkware, Proland Software, RARLAB, Red Hat, Softwin, Sophos, Sun Microsoystems, Symantec, Trend Micro, Winzip, and many others.
The following image gives a faint approximation on the extent to which different archive formats can be used in computer systems. It represents a scenario in which two network peers, commonly a client and a server, communicate over a communication network. Potential archive format implementations involved are highlighted. Illustration on the scope of archive implementations.
Legend:
- Network payload compression, implemented in hardware or software. Although compression per se was not targeted in this test suite, some compression might have been encapsulated in archive formats in this context. Note that software payload compression includes the compression used in many cryptographic message formats and the gzip content encoding in the prevalent MIME protocol.
- Network content filtering (spam, phishing and other undesired content) and virus scanning may need to handle archived content.
- Network caches, proxies and load balancing devices may parse archived payloads.
- Network firewalls (especially stateful/application level firewalls), intrusion detection/prevention systems may need to handle archived content.
- Client-side (or personal) firewalls, intrusion detection/prevention systems, content filtering, anti-virus, anti-malware, anti-spyware and anti-rootkit software may need to handle archived content.
- Different kind of client and server software handles archived content for various purposes. This includes the handling of archived configuration or customisation files (e.g. skins) and media files as some formats include data compression. Note that many programs include add-on plugins or modules that also may employ archive formats.
- APIs of operating systems and various libraries enable or involve the handling of archived content. Many environments also include indexing services that study filesystem content at regular intervals, and GUI functions designed for the handling of archives. Many programming languages handle archives containing library files and software packages. Many software packet installation management systems handle archived content.
- Connected embedded devices, most notably backup drives, may involve hardware or software archival functions.
- Connected palmtop and mobile appliances, which are often embedded devices, may require archival for communications or other functions. Note that the client and server systems depicted in this image may also be such devices.
Prior public vulnerabilities related to archive formats have been evident in most of the implementation categories listed above.
Injection and instrumentation methods
The injection vector survey, or delivery vector survey, analyses the different methods of delivering the test-cases to the implementations under test (IUT). Often, there are several methods of injection and one test-suite cannot cover them all, or might miss some vectors not available in all implementations.
Most anti-virus software focus on inspecting files that reside in a file system. As this test suite is focused on testing anti-virus software, it uses file system as the method of injection. Because all of the tested anti-virus tools and decompression tools could be run from command line, the injection could be handled by simple shell scripts. These scripts fed the test cases to the test subject one by one while monitoring their execution. The used injection scripts are not bundled with the test suite as they are very case-specific and easily reproducible for most subjects.
With instrumentation on the target platform we are able to monitor for undesired behaviour of the subject implementation. Typically this manifests as exceptions or signals such as 'access violation' or 'segmentation fault'. For most of the testing we used isolated Linux installations of the x86/IA32 architecture. In addition, sporadic testing was carried out with Mac OS X and Windows operating systems.
Strace and a kernel patch to report all fatal signals were used to monitor the operation of programs when the fuzzed files were processed. The value of eip register at the time of the fatal signal was used to rule some terminations as probably manifestations of the same error. The used instrumentation is not bundled with the test material as it is freely available via other sources for various platforms.
Computer programs usually process input. Often some of the input comes from a file. By using specially crafted files, it is often possible to expose un-handled and potentially exploitable errors in programs.
The test suite consists of modified archive files of corresponding file formats. Some of the files were generated using fairly simple content fuzzing techniques, and some were generated using a model-assisted approach. In both cases the files were generated using a set of sample files.
For each file format, set of valid files were first collected. The contents of the files are for the most part text documents and files of other common document formats. Freely available archival tools with different parameters were then used to create them. The collected files were processed with structure inference tools developed in GENOME to yield simple models of the content. The models were then used to generate similar data.
Fuzzed testing material was generated by applying probabilistic changes to the generated data. The fuzzing thus mostly involved selecting a good set of initial training material, and then finding reasonable parameters to produce suitably fuzzed data. The generated files are usually tested with a program as they are generated, and files causing interesting errors are collected.
This test suite contains both files that are known to cause problems in at least one program, and files that may or may not cause problems in some programs. In many cases files in this test suite expose severe un-handled errors, many of which have direct security implications and should be considered as vulnerabilities.
The structure inference and fuzzer tools used in the production of the test suite were provided by the GENOME project. The described automatic model assisted approach is new to our knowledge, and it has been very effective in producing various test input.
The tests are divided into separate test-material packages for each file formats. Each test-material package consists of a certain amount of test-cases, as specified in the table below. Number of test cases by archive format Archive format # cases
ace 91518 arj 255343 bz2 321818 cab 130823 gz 227311 lha 176631 rar 198865 tar 40549 zip 189833 zoo 163595 total 1632691The package is distributed as a cd-rom image containing:
- the GPL licence
- very brief usage instructions
10 pieces <format>.tar.bz2 packages
The license allows free use and redistribution of the test material package. If you modify the material, please consider renaming the package.
In most Linux systems the iso image file can be used directly without burning it to a cd-rom, by issuing the following command:
$ mount -o loop testsuites.iso /cdromThe cd-rom contains the test suites bundled by file format in tar.bz2 archives.
The archives can be decompressed with any decompression software supporting BZIP2 archives and having no limit for the number of files in one archive. In UNIX systems this can be done by issuing the following commands:
$ bunzip2 < suite.tar.bz2 | tar -xvf -One suitable tool for Windows environment is ICEOWS, available at no cost. Note that each x.tar.bz2 package is first decompressed to a x.tar file, which is then similarly decompressed into a directory x containing the files. Note that OUSPG neither endorses any decompressor in particular, nor guarantee that they will not have issues with the test suite.
The decompression will take anything from a few minutes to several hours, depending on the computer. After decompression, the complete test suite contains 5.22GB of data, which on a typical Windows system occupies a bit over 10GB of physical space. Note that when using Windows, the test suite directories can be removed faster from the command line.
Testing with the test suite is carried out by feeding the files in the test suite to the desired subjects. Often this process can be automated to some degree, for example by scripts or batch processing. While testing, the test subject should be monitored for any unorderly behaviour, such as crashes, hangs or the overt consumption of system resources. This document does not cover the details of instrumentation, and we leave it up to users of the test material to come up with techniques to monitor whether test subjects handle the test cases in a satisfactory manner.
We recommend some additional guidelines for testing, although these are not imposed by the test material licence. These guidelines can be found from the Test suite releases in Theory and Practice document.
Use of latest release (highest number) is recommended. Older releases are provided for completeness and reproduction.
Release 1
Test-runs were conducted against the chosen set of sample implementations. The test material consisted of the fit test cases selected during the production of the test suite.
Test Result Definitions
- failed
In this test suite, the failed status is granted if any of the following criteria are met and a single test case can be identified to be responsible of it: a process or a child process crashes with fatal signal.
- inconclusive
If no single test case can be identified but similar effects are observed, the status is inconclusive.
- passed
Otherwise, the status is passed.
Each failed test case represents at minimum a denial of service type chance of exploiting the found vulnerability. In most cases, they represent memory corruption, stack corruption or other fatal error conditions. Some of these may lead to exposure to typical exploits, allowing running of arbitrary code or modification of the target system (eg. buffer overflows).
Test Results by Archive Format
A limited subset of the test material was used in test runs against some anti-virus products. Tables below represent the observations from feeding the test-material against the chosen subject software. Product names of the actual subjects are omitted to protect the innocent.
These tables illustrate how different archive formats were handled in the test runs. A test group is marked failed if any single case or combination of cases cause the subject to fail. The results therefore represent a lower bound on implementation problems uncovered in tested software using the test material.
Result summary by archive format
Legend:
- x: Verdict is failed
- -: Verdict is passed
- ?: Verdict is inconclusive
- n/a: Software doesn't support the format
Following table shows total number of failing cases found per format.
Following table shows number of unique bugs found per format. Value of EIP at the moment of crash was used to determine whether bug is unique or not. Unique bugs by archive format Subject
Parser implementations are intricate pieces of code that are prone to implementation level faults, and archive file format parsers are no exception in this manner. Almost all of the tested tools seemed to be easy to crash using our relatively simple automated techniques. Some of the observed failures had information security implications, and should be considered as vulnerabilities. This is alarming considering the tested products were advertised as security products.
Acknowledgments
We are grateful to NISCC and CERT-FI for their help and advice during the vulnerability process.
Prior Public Vulnerabilities
At the outset of of this test suite, past implementation security issues regarding archive formats were investigated. This work included tracking archive format implementations, products, vulnerabilities, among other data. This data was gathered with the methods developed in project MATINE and visualised with Graphingwiki [3]. An example graph of CVE entries related to the RAR archive format is included below.
Graph of RAR-related CVE entries
Note that the above graph is in no way related to vulnerabilities possibly uncovered using this test material, it's just an automatically generated graph from CVE data.
Prior vulnerabilities, as reported in the CVE database, regarding the archive formats in this test suite, include but are not limited to the following:
- "Buffer overflow in Norton Antivirus for Exchange" [4]
- "DoS in MAILsweeper for SMTP" [5]
- "BSCW groupware system read or modify arbitrary files" [6]
- "GNU Tar Hostile Destination Path Vulnerability" [7]
- "Multiple vendor file archivers file extraction directory traversal" [8]
- "Multiple vendor file archivers file extraction directory traversal" [9]
- "Multiple vendor file archivers file extraction directory traversal" [10]
- "zlib "double free" memory corruption" [11]
- "Windows zipped file decompression buffer overflow" [12]
- "Multiple vendor file archivers file extraction directory traversal" [13]
- "AMaViS securetar TAR file denial of service" [14]
- "Microsoft Windows Incorrect Target Path for Zipped File Decompression." [15]
- "Internet Explorer Malformed PNG Image File Failure" [16]
- "Multiple vendor file archivers file extraction directory traversal" [17]
- "zlib gzprintf buffer overflow" [18]
"?RealPlayer PNG improper decompression buffer overflow" [19]
"?GameSpy Arcade GSAPAK.EXE file upload" [20]
- "Clearswift MAILsweeper RAR policy bypass" [21]
- "Clearswift MAILsweeper ZIP policy bypass" [22]
- "MAILsweeper for SMTP zip archive could allow an attacker to bypass virus protection" [23]
- "LHA multiple buffer overflows" [24]
- "Multiple directory traversal vulnerabilities in LHA" [25]
- "Integer overflow in DUNZIP32.DLL for Microsoft Windows" [26]
- "gzip gzexe script creates insecure temporary files" [27]
- "LHA metacharacter command execution" [28]
- "LHA extract_one buffer overflows" [29]
- "DGen ROM decompression symlink attack" [30]
- "LHA long pathname buffer overflow" [31]
- "zlib inflate and inflateback denial of service" [32]
- "Multiple vendor antivirus .zip bypass protection" [33]
- "unarj file name buffer overflow" [34]
- "Info-ZIP zip archive with long names buffer overflow" [35]
- "unarj file extraction directory traversal" [36]
"?RealPlayer zipped RJS file buffer overflow" [37]
- "Multiple vendor antivirus .zip bypass protection" [38]
- "WinRAR zip file buffer overflow" [39]
- "Solaris gzip modify privileges of hard linked files" [40]
- "WinRAR Repair Archive unknown vulnerability" [41]
"Clam ?AntiVirus RAR archive denial of service" [42]
- "F-Secure Anti-Virus password protected archive bypass antivirus protection" [43]
- "eTrust Antivirus could allow attacker to bypass file scan" [44]
- "MAILsweeper for SMTP RAR denial of service" [45]
"?AntiGen for Domino zip file can cause denial of service" [46]
- "F-Secure Anti-Virus LHA archive buffer overflow" [47]
- "F-Secure Anti-Virus ZIP archive bypass scanning" [48]
- "cabarc "dot dot" directory traversal" [49]
"Clam ?AntiVirus ZIP file denial of service" [50]
"?UnAce 'Ready for next volume' messages buffer overflow" [51]
"?UnAce "dot dot" directory traversal" [52]
- "WinHKI ZIP directory traversal" [53]
- "DivX Player directory traversal" [54]
"?ZipGenius path disclosure" [55]
- "Winrar dot dot dot directory traversal" [56]
- "Antivirus ARJ archive buffer overflow" [57]
- "Antivirus ARJ archive buffer overflow" [58]
"?McAfee ?AntiVirus Library stack buffer overflow" [59]
"?McAfee ?AntiVirus Library stack buffer overflow" [60]
- "HTTP Anti Virus Proxy cab and zip files bypass filtering" [61]
"?FileZilla Server zlib compression denial of service" [62]
- "RHSA-2005:357 updates for gzip not installed" [63]
- "gzip -N command directory traversal" [64]
"Multiple Symantec ?AntiVirus products RAR file detection bypass" [65]
- "Sophos Anti-Virus BZIP2 denial of service" [66]
"?MailScanner .zip security bypass" [67]
- "zlib DoS (inftrees.h)" [68]
- "Multiple vendor file archivers file extraction directory traversal" [69]
"Clam ?AntiVirus ENSURE_BITS function denial of service" [70]
- "zlib code table denial of service" [71]
"?BlackBerry Enterprise Server Attachment Service PNG buffer overflow" [72]
"?UnAce "dot dot" directory traversal" [73]
- "avast! Antivirus ACE archives buffer overflow" [74]
- "Linux Kernel huft_build zlib denial of service" [75]
- "Linux Kernel huft_build zlib denial of service" [76]
- "Tar setuid restores owner file permissions" [77]
- "IBM Lotus Notes htmsr.dll HTML speed reader URL link buffer overflow" [78]
- "IBM Lotus Notes kvarcve.dll compressed file preview directory traversal" [79]
"?RealPlayer zipped RJS file buffer overflow" [80]
- "HAURI compressed archives directory traversal" [81]
- "HAURI compressed archives directory traversal" [82]
- "HAURI vrAZace.dll library buffer overflow" [83]
- "ZipTV ARJ header buffer overflow" [84]
- "NOD32 ARJ archive buffer overflow" [85]
- "Avira Desktop for Windows ACE filename buffer overflow" [86]
"?AhnLab V3 Antivirus v3flt2k.sys scan driver allows attacker elevated privileges" [87]
- "7-Zip ARJ file buffer overflow" [88]
"?PowerArchiver ACE/ARJ filename buffer overflow" [89]
- "Kaspersky Antivirus cab heap overflow" [90]
- "ALZip filename buffer overflow" [91]
- "Virus detection bypass in Kaspersky Antivirus" [92]
"Virus detection bypass in ?BitDefender Antivirus" [93]
- "Virus detection bypass in F-Prot Antivirus" [94]
- "Virus detection bypass in Avast Antivirus" [95]
"Virus detection bypass in ?McAfee Antivirus" [96]
- "Virus detection bypass in Sophos Antivirus" [97]
- "Virus detection bypass in Symantec Antivirus" [98]
- "Virus detection bypass in Dr.Web Antivirus" [99]
- "Virus detection bypass in Avira Antivirus" [100]
- "Virus detection bypass in Norman Virus Control Antivirus" [101]
- "Virus detection bypass in Fortinet Antivirus" [102]
- "Virus detection bypass in VBA32 Antivirus" [103]
- "Virus detection bypass in Rising Antivirus" [104]
"Virus detection bypass in ?AntiVir Antivirus" [105]
- "Virus detection bypass in (1) eTrust-Iris and (2) eTrust-Vet Antivirus" [106]
"Virus detection bypass in ?ArcaVir Antivirus" [107]
- "Virus detection bypass in UNA Antivirus" [108]
"Virus detection bypass in Ikarus ?AntiVirus" [109]
- "Virus detection bypass in ClamAV Antivirus" [110]
- "Virus detection bypass in Panda Antivirus" [111]
- "Virus detection bypass in CAT Quick Heal" [112]
"Virus detection bypass in ?TheHacker" [113]
- "Virus detection bypass in Trustix Antivirus" [114]
- "Virus detection bypass in Grisoft AVG Antivirus" [115]
- "Virus detection bypass in Proland Protector Plus 2000 Antivirus" [116]
- "WinRAR unacev2.dll ACE archive buffer overflow" [117]
"?ZipGenius filename buffer overflow" [118]
- "F-Prot Antivirus ZIP files can bypass protection" [119]
- "Clam Antivirus tnef_attachment function denial of service" [120]
- "Clam Antivirus cabd_find function denial of service" [121]
"?SpeedProject multiple products lstrcat() ZIP file buffer overflow" [122]
- "Panda Antivirus library ZOO file buffer overflow" [123]
"Symantec ?AntiVirus Library RAR parsing multiple buffer overflows" [124]
- "TUGZip ARJ archive buffer overflow" [125]
- "Sophos Anti-Virus ARJ file scanning detection bypass" [126]
- "GNU Tar PAX extended headers buffer overflow" [127]
- "F-Secure Anti-Virus ZIP file buffer overflow" [128]
- "F-Secure Anti-Virus RAR and ZIP file scan detection bypass" [129]
"?WinAce ARJ header buffer overflow" [130]
- "zoo misc.c fullpath() buffer overflow" [131]
"?SpeedProject .ZIP and .JAR archives directory traversal" [132]
"Stuffit and ?ZipMagic archive directory traversal" [133]
- "PEAR::Archive_Zip dot dot directory traversal" [134]
"?WinAce .RAR and .TAR directory traversal" [135]
- "Sophos Anti-Virus CAB file parsing buffer overflow" [136]
- "zoo parse.c parse() buffer overflow" [137]
- "WinHKI archive extraction directory traversal" [138]
- "TUGZip archive directory traversal" [139]
- "IZArc extract error directory traversal" [140]
"?SpeedProject multiple products ACE buffer overflow" [141]
- "Abakt ZIP buffer overflow" [142]
"?VeriSign I-Nav VUpdater.Install ActiveX control code execution" [143]
"?ZipCentral ZIP archive filename buffer overflow" [144]
- "ZipTV ARJ header buffer overflow" [145]
"?BitZipper extract directory traversal" [146]
"?PicoZip zipinfo.dll buffer overflow" [147]
- "Filzip archive directory traversal" [148]
"?QuickZip extract directory traversal" [149]
"?AutoVue ?SolidModel Professional archive filename buffer overflow" [150]
- "Apple Mac OS X BOMArchiveHelper BOMFileClose() .zip archive buffer overflow" [151]
- "MIMEsweeper for Web RAR archive Web Policy Engine denial of service" [152]
- "WinRAR LHA archive buffer overflow" [153]
- "Microsoft Internet Explorer HTTP 1.1 compression long URL buffer overflow variant" [154]
"?MailGate Email Firewall LHA extended-header filename buffer overflow" [155]
"?PowerArchiver add buffer overflow" [156]
- "Lhaplus LZH archive extended header buffer overflow" [157]
- "Lhaz long LZH filename buffer overflow" [158]
- "gzip huft_build() code execution" [159]
- "gzip LZH array code execution" [160]
- "gzip unpack.c buffer underflow" [161]
- "gzip LZH array code execution" [162]
- "gzip LZH array code execution" [163]
"?PowerZip filename buffer overflow" [164]
- "Dr. Web LHA archive buffer overflow" [165]
- "Compression Plus ZOO buffer overflow" [166]
- "avast! LHA archive buffer overflow" [167]
During the prerelease phase all verified vulnerabilities were reported to the respective vendors through this test material. The vulnerability reports were tracked by CERT-FI and NISCC in the role of independent coordinators and advisors. An attempt was made to seek a channel to distribute the test material to vendors whose products we were not able to obtain for testing. Advisories and Vendor Statements
Vendor statements or security advisories issued in order to address the vulnerabilities uncovered by this test suite are collected. Advisories that we are aware of are listed here-in:
- CERT-FI and CPNI Joint Vulnerability Advisory on Archive Formats
References
[1]
[2]
Kaksonen, Rauli. A Functional Method for Assessing Protocol Implementation Security. (2001). VTT Publication series. http://www.vtt.fi/inf/pdf/. ISBN: 951-38-5873-1. Licenciate thesis.
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
[16]
[17]
[18]
[19]
[20]
[21]
[22]
[23]
[24]
[25]
[26]
[27]
[28]
[29]
[30]
[31]
[32]
[33]
[34]
[35]
[36]
[37]
[38]
[39]
[40]
[41]
[42]
[43]
[44]
[45]
[46]
[47]
[48]
[49]
[50]
[51]
[52]
[53]
[54]
[55]
[56]
[57]
[58]
[59]
[60]
[61]
[62]
[63]
[64]
[65]
[66]
[67]
[68]
[69]
[70]
[71]
[72]
[73]
[74]
[75]
[76]
[77]
[78]
[79]
[80]
[81]
[82]
[83]
[84]
Microsoft Confirms Latest Patch is rendering PCs Running Sophos and Avast Useless
What’s Happening
Microsoft has confirmed that there is an issue on devices with Sophos Endpoint Protection installed and managed by either Sophos Central or Sophos Enterprise Console (SEC) that may cause the system to freeze or hang upon restart after installing this update. Most of the workstations that were affected by this where Running Windows 7, and 8.1 and small numbers of Windows Server 2008 and 2012 R2. Microsoft has a bad reputation for Windows updates. It was later discovered that Sophos was not just the only Anti-Virus having issues – Avast, Avira, and Arcabit also reported similar issues.
Which versions of Windows are affected ?
Unfortunately, a broad sweep of Windows versions is affected by the update problems. As of right now these include Windows 7, Windows 8.1, Windows Embedded 8, Windows Server 2008, Windows Server 2012, Windows Server 2012 R2 and Windows 10. Exactly which version is impacted depends upon which antivirus software you have installed. You can find a full list detailing conflicts between operating systems, antivirus and updates here. Different Anti-Viruses cause different symptoms with this update, for example Avira users reported system latency issues and hanging of software; Sophos in the other hand reported system fails or hangs during boot up.
How do you fix it?
Microsoft has for the meantime disabled this update for users running any of these Anti-Virus endpoints. Sophos and other Anti-Viruses platforms have disabled the update and advised those who utilize such Anti-Virus to not update Windows until Microsoft releases a fix. If you are one of the unfortunates who installed the update before they were stopped, there are several steps you can take to resolve it.
1: Boot into Safe-Mode
2: Disable the Anti-Virus service
3: Boot into normal mode
4: Uninstall the Windows KB.
If you run into a similar issue and require assistance feel free to contact us.
What’s New in the Avast Antivirus patch Archives?
Screen Shot
System Requirements for Avast Antivirus patch Archives
- First, download the Avast Antivirus patch Archives
-
You can download its setup from given links: