Archive Formats Kill Antivirus Products

nemiloc sends us to the F-Secure blog for breaking news about widespread vulnerabilities in programs that process archive files: "The Secure Programming Group at Oulu University has created a collection of malformed archive files. These archive files break and crash products from at least 40 vendors — including several antivirus vendors... including us." Here is test material from OUSPG and a joint advisory from Finnish and English security organizations. It isn't news that security products can have have security vulnerabilities. What makes this advisory important is that antivirus software is a perfect target. It is run in critical places with high privileges and auto-updates to keep versions coherent.

That's nothing

Windows can crash over 9000 products.

Re:That's nothing

[thousandinone]

What?!? Nine Thousand?!?

Secure Platform without Anti-virus

[SpaceLifeForm]

Is probably more secure.

I don't need to mention names, you know.

Re:Secure Platform without Anti-virus

[PC+and+Sony+Fanboy]

... if only that secure platform was more customizable and less fruity.

Re:Secure Platform without Anti-virus

[JeanBaptiste]

Cool. I need to run MS SQL server, it's the only one that my company's workflow software will run on. Also our enterprise app is all written in ASP. We also have lots of Exchange users. It would probably take years and years to convert all these things over to something else, probably with downtime and data loss.

Your 'solution' may work for some, but probably not for most, and for the rest of us, thats what these articles are posted for!

Re:Secure Platform without Anti-virus

[TheRaven64]

That's okay, the money has already been allocated, because you factored in the cost of migrating away from the platform as part of the TCO. You did include migration costs in your TCO calculations when purchasing the workflow software and Exchange, right?

Re:Secure Platform without Anti-virus

[Ed+Avis]

I need to run MS SQL server, it's the only one that my company's workflow software will run on.

Have you investigated porting to Sybase? It's pretty similar.

Also our enterprise app is all written in ASP.

Have you looked at Chili!Soft ASP? Or if you're using ASP.NET, Mono?

We also have lots of Exchange users.

Gotta admit, this is harder to migrate from once all your data is locked up in those binary PST files.

But you have a point that many people, yourself included, are stuck with Windows. It wouldn't be easy to migrate. Much more convenient to buy some crappy virus scanner and keep the plates spinning.

Re:Secure Platform without Anti-virus

[fred+fleenblat]

Also, this isn't a FOSS vs. Microsoft thing even though many people make it out to be. For maximum protection against malware I'd actually go for Oracle on Solaris or AIX, all of which are closed source.

Re:Secure Platform without Anti-virus

[Neil+Hodges]

You had to write it up the first time with Exchange (and so forth), didn't you? Wouldn't that have added to the 'TCO' of setting up your first system?

Re:Secure Platform without Anti-virus

[DaveWick79]

Did anyone read TFA and realize that of the programs that were known to be vulnerable, the majority were various brands of Linux?

Re:Secure Platform without Anti-virus

[SQLGuru]

Apparently, you're just too lazy to work on it.....this guy went so far as to make an Apple II web server:
http://www.ld8.org:6502/

Or a list of other older Apple hardware http://www.ld8.org/servers/servers_apple2.html

Layne

Re:Secure Platform without Anti-virus

[jimicus]

Three (two?) words: Vendor lock-in.

Unless your employer is prepared to pay for code to be written specifically for every little business requirement that no half-decent Free solution exists for, I defy you to avoid vendor lock-in. Commercial applications with fully documented data schemas are more or less non-existent.

Email solutions are easy. They've been done to death. So have office applications - wordprocessors, spreadsheets, that kind of stuff.

Groupware is harder, but not impossible. It becomes much harder, however, if "seamless Outlook or similarly featureful client app integration" is a requirement.

Accounting solutions aren't easy either - they're boring to write and have to account for every nations' tax legislation in their localisation - and they need to be updated rapidly if that legislation changes. Neither is payroll for much the same reason. Even if the app vendor hasn't tied their app to a specific database (unlikely), they'll have the most horrendous schema with zero documentation.

As soon as you get into the realm of particularly specialist software for a given market, forget it. The goal of business is to make money for the investors, not a bunch of unknown software developers, so if something off the shelf can be purchased for a quarter of what it'll cost for something to be custom written, guess what will happen. Vendor lockin is a bridge that shall be crossed when it is reached.

Re:Secure Platform without Anti-virus

[orclevegam]

Did anyone read TFA and realize that of the programs that were known to be vulnerable, the majority were various brands of Linux? Actually Linux isn't vulnerable, but some of the common utilities are. Upgrading bzip2 and tar to the latest versions should fix any vulnerabilities. Also hit hard it seems was Symantec with the common library all their utilities use for handling compressed files being compromised, and hence virtually all of their products across the board.

Re:Secure Platform without Anti-virus

[IllForgetMyNickSoonA]

This is a usual argument, I know. However, each time I read it, I can't help but to ask myself "whose fault is it?" The answer is obvious, isn't it?

It's unfair to pretend non-MS solutions are somehow expensive because it's so hard to break free from MS once you allowed yourself to get hooked into their proprietary world. You could just as well have developed your enterprise apps in something other than ASP, haven't you?

OK, I know I'm probably barking up the wrong tree here - probably it's not *your* fault after all. But I guess you know what I'm trying to point out.

Re:Secure Platform without Anti-virus

[SatanicPuppy]

No. We factored in the costs of losing our jobs because the PHBs wanted Exchange.

Seriously. I love Linux, but treating people like they're morons for having to support a Windows system is unrealistic.

Re:Secure Platform without Anti-virus

[bryce4president]

Last time I checked we don't run anti-virus on our IBM midrange servers...hmmmm... but IBM is so old that its not even cool to try to hack it right?

Re:Secure Platform without Anti-virus

[Drantin]

Normally, in order to keep the system functioning nicely on large systems, the users will have mailbox limits, in order to keep older mail they create personal archive files (or whatever they're actually called) These archives with the extension of PST allow them to move mail from the exchange server into them and they have room for more mail while keeping the old stuff...

Re:Secure Platform without Anti-virus

[Ed+Avis]

I'm sorry, but *any* system that stores email in a binary database is simply lame.

This is a bit daft; in the end everything is stored in a binary database when it goes to disk. If you trust an database system for storing financial records at your bank, why shouldn't it store your mail? Do you think that Gmail really uses maildirs with one file per message, and good old find+grep for searching?

Re:why bother checking archives anyways?

[thyrf]

It needs to be identified as such first anyway and that's what's crashing it.

There's breakage and there's breakage

[davidwr]

There's

1. "I had an exception processing file ABC.ZIP, skipping file,"
2. Crashing and dying without handling the exception, and
3. Being exploited due to an unexpected condition.

The first lets viruses hide in carefully-mis-crafted archives.
The second lets viruses deactivate antivirus software.
The third lets viruses 0wn j00.

Some AV software is smart enough to log instances of #1.

Re:There's breakage and there's breakage

[mea37]

Really smart AV software wouldn't make assumptions about the contents of the file (eliminating #3), would always check for exceptions (eliminating #2), and would treat a processing exception pretty much like a virus (neutralizing #1).

Very little software in practice is that smart. But with AV, you know you're at war with the file you're scanning. Any AV vendor caught by this should be embarrased.

Re:There's breakage and there's breakage

[kyofunikushimi]

try catch?

Re:There's breakage and there's breakage

[hyc]

Most likely they should have written their own archive parsing libraries, rather than relying on the existing binaries for those formats.

As a footnote, there are no such buffer overrun vulnerabilities in my ARC program, which is now more than 22 years old.

http://sourceforge.net/projects/arc

Re:Proofread?

[gnasher719]

While two negatives make a positive, two positives do not make a negative. Yeah, right.

Old Problem

[Detritus]

Similar problems have appeared in other file formats and packet formats. Even without deliberate attacks, data corruption can crash applications and systems that are insufficiently paranoid about the data that they receive and process. Do you want it fast or do you want it correct?

Re:Old Problem

[Xtravar]

Do you want it fast or do you want it correct? Do I want it fast 99.99999999% of the time with a 0.00000001% chance of incident, or do I want it slow 100% of the time with a 0% chance of incident?

If correcting the repercussions of the incident takes less time than the total time lost by doing things the correct way, then I will take the fast way, please.

Re:Old Problem

[DRAGONWEEZEL]

You just did "Cost benefit analysis" or sometimes called Risk Analysis.

That is the same thing that says, do I leave an unsecured wireless AP, or a lightly secured WEP AP that shows I did at least due dilligence?

For personal Machines, I'd take the fast way, for shure, assuming data is backed up regularly.

For corporate machines,(in general,Caveat emptor, and risk assesment would need to be performed on a per machine basis.) I wouldn't trust an icecubes chance in hell (hey, what if Satan has a freezer?), it'd be slow and working 100% or not implemented. (again, for the most part)

The thing is, Great amount of work can be lost (or Stolen) in just a days time. Also, most people don't save (or backup) incrementally throughout the day, they save at the end of the day and if they are really good, sometimes at lunch too.

Hell, I am a computer nerd, and I only back up quarterly. (in addition to saving most "true work" to the network drives)

Hrm

[Shadow-isoHunt]

Details on the latest examples
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0308
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0309

Re:Hrm

[Shadow-isoHunt]

PS: Forgot http://www.securityfocus.com/bid/28285/info

Bad programming

[dabadab]

You DO test your product with malformed archives, don't you? I know I do. And our product - if possible at all - ignores the problems and extracts the archive anyway or if it's borked beyond recovery then report it as such. But crashing?... Please.

Re:Proofread?

[Em+Adespoton]

If you can put an apostrophe in its, he can definitely remove the comma from "yeah, right."

Re:hmm, actually, if only for virus protection...

[Chris+Mattern]

Are you kidding? Do you know how long it's been since Eniac came out with security update patches?

Re:isn't this where unix shines

[Ephemeriis]

in fact even on windows, why do virus scanners need high privileges?

Typically, on a Windows system, antivirus software will embed itself into the operating system fairly deeply. They usually scan all file I/O in real-time, watch memory for suspicious things, and sandbox much of what is run. It isn't as simple as just scanning files here and there. Most Windows antivirus software installs itself (or parts of itself) as a service and starts running even before the shell comes up.

That's been going on for ages!!!

[mrmeval]

My favorite is using pkzip to zip up a ~200meg+ file to kill automated virus checkers. ;) The harddrives in the hey day of command line pkzip were small and this would kill some twits BBS because the virus checker would blindly unzip the file then check it without checking that it would fill the drive. The next version of the software just looked at what the zip file said..but you could edit the zip to say anything and it would still decompress the whole file.
The next version did fix that finally...for pkzip. ;)

Using social engineering that is rather inept by todays standards I convinced several people on usenet to not read the text telling that it could cause problems but to just blindly open the doubly zipped file (it gets smaller when doubly zipped a certain way so I made it 2G to start).

I did the same thing with PGP which could allow one to kill an encrypted anonymous remailer and I also nailed several people by posting the PGP message with a passphrase. PGP compresses files prior to encryption. I didn't mess with the remailer without asking permission. The person running it was a bit surprised.

Linux commands:
dd if=/dev/zero of=hi bs=1024 count=200512
zip hi.zip hi
Result -rw-r--r-- 1 bogus bogus 199411 2008-13-48 18:04 hi.zip

zip -9 ho.zip hi.zip
Result -rw-r--r-- 1 bogus bogus 846 2008-30-81 18:13 ho.zip
I'm not sure why but using -9 to start does not make the original super small it only works the second time.

If you want to assault a fractal compressor, just insert a non-finite automata and have at them. You get points if it's video and draws frame after frame of something inappropriate.