Archive Formats Kill Antivirus Products

nemiloc sends us to the F-Secure blog for breaking news about widespread vulnerabilities in programs that process archive files: "The Secure Programming Group at Oulu University has created a collection of malformed archive files. These archive files break and crash products from at least 40 vendors — including several antivirus vendors... including us." Here is test material from OUSPG and a joint advisory from Finnish and English security organizations. It isn't news that security products can have have security vulnerabilities. What makes this advisory important is that antivirus software is a perfect target. It is run in critical places with high privileges and auto-updates to keep versions coherent.

Re:why bother checking archives anyways?

[thyrf]

It needs to be identified as such first anyway and that's what's crashing it.

There's breakage and there's breakage

[davidwr]

There's

1. "I had an exception processing file ABC.ZIP, skipping file,"
2. Crashing and dying without handling the exception, and
3. Being exploited due to an unexpected condition.

The first lets viruses hide in carefully-mis-crafted archives.
The second lets viruses deactivate antivirus software.
The third lets viruses 0wn j00.

Some AV software is smart enough to log instances of #1.

Re:There's breakage and there's breakage

[kyofunikushimi]

try catch?

Old Problem

[Detritus]

Similar problems have appeared in other file formats and packet formats. Even without deliberate attacks, data corruption can crash applications and systems that are insufficiently paranoid about the data that they receive and process. Do you want it fast or do you want it correct?

Re:Secure Platform without Anti-virus

[Neil+Hodges]

You had to write it up the first time with Exchange (and so forth), didn't you? Wouldn't that have added to the 'TCO' of setting up your first system?

Hrm

[Shadow-isoHunt]

Details on the latest examples
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0308
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0309

Re:Hrm

[Shadow-isoHunt]

PS: Forgot http://www.securityfocus.com/bid/28285/info

Re:Secure Platform without Anti-virus

[DaveWick79]

Did anyone read TFA and realize that of the programs that were known to be vulnerable, the majority were various brands of Linux?

Re:isn't this where unix shines

[Ephemeriis]

in fact even on windows, why do virus scanners need high privileges?

Typically, on a Windows system, antivirus software will embed itself into the operating system fairly deeply. They usually scan all file I/O in real-time, watch memory for suspicious things, and sandbox much of what is run. It isn't as simple as just scanning files here and there. Most Windows antivirus software installs itself (or parts of itself) as a service and starts running even before the shell comes up.

Re:Archive Formats Kill Antivirus Products

RIP Symantec AntiVirus; Oh AVG, how I will miss you! If you had bothered to read the article, you'd know that Symantec AV is not affected and it is unknown if AVG is affected.

Re:Secure Platform without Anti-virus

[Drantin]

Normally, in order to keep the system functioning nicely on large systems, the users will have mailbox limits, in order to keep older mail they create personal archive files (or whatever they're actually called) These archives with the extension of PST allow them to move mail from the exchange server into them and they have room for more mail while keeping the old stuff...