Connect with us

Hi, what are you looking for?



Antivirus Vendors Patch Bug First Discovered 10 Years Ago

Four antivirus providers have released patches for an issue that was initially detailed by a researcher more than 10 years ago.

Four antivirus providers have released patches for an issue that was initially detailed by a researcher more than 10 years ago.

Reported by Thierry Zoller in 2009, the bug resides in an attacker’s ability to craft compressed archives that, although accessible to a user, cannot be scanned by the antivirus product.

The flaw, Zoller explains, does not refer to a single archive format, but to the user’s ability to alter a compressed archive in such a manner that it becomes inaccessible to the AV software. Multiple types of archive formats can be used, including ISO, ZIP, and Bz2.

The bug has a low impact on the client side, considering that the user can inspect the file after extraction, but severely impacts any email gateways or antivirus infrastructure, given that the archive cannot be automatically decompressed to inspect its content.

Ten years after the initial discovery, Zoller decided to revisit the issue and assess the manner in which AV vendors have addressed it in their products. He also contacted vendors to report the bug.

What he says he has found so far is rather discouraging: not only was the bug ignored, but some of the vendors he recently contacted to submit vulnerability reports did not react positively.

In November 2019, the issue caught additional attention, after it started being abused in campaigns looking to disseminate malware via emails.

Advertisement. Scroll to continue reading.

According to Zoller, the bug impacts many products from multiple vendors, including Avira, Bitdefender, ESET and Kaspersky, which he contacted in October 2019 to report the flaw and provide proof-of-concept code, so that patches would be released.

“Impact depends on the contextual use of the product and engine within the organization of a customer. Gateway Products (Email, HTTP Proxy etc) may allow the file through unscanned and give it a clean bill of health. Server side AV software will not be able to discover any code or sample contained within this ZIP file and it will not raise suspicion even if you know exactly what you are looking for,” he says.

Impacted ESET products span across platforms and include Smart Security Premium, Internet Security, NOD32 Antivirus, Cyber Security Pro (Mac), Cyber Security (Mac), Mobile Security for Android, Smart TV Security, and NOD32 Antivirus 4 for Linux Desktop. The issue was addressed in version 1294 of the archive unpacker module.

Kaspersky has addressed the vulnerability with the release of patch E for four of its products, namely Kaspersky Secure Connection 4.0 (2020), Internet Security 2020, Total Security 2020, and Security Cloud 2020.

“We also have fixed three bugs in one of anti-virus (AV) engine components that is responsible for work with ZIP archives. The fix for this component corrects its behaviour in situation of antivirus scanning specially crafted ZIP archives. These malformed archives could be used to circumvent our antivirus scan process. The bugs affected Kaspersky products with antivirus databases,” Kaspersky said.

While these two vendors were quick to patch the flaws in their products and credit Zoller for reporting them, Avira and Bitdefender were not as responsive, the security researcher says.

Avira, he says (PDF), dismissed his report right from the start. It was only after more than a month of conversation and only after the company’s CTO was contacted that a silent patch was released.

Bitdefender, on the other hand, acknowledged the bug, issued 3 CVEs, and released a patch, but then revised their approach and pulled back the CVEs. However, the vendor silently fixed the issue in December, but credited the researcher for the finding only several weeks later, after being called out for not doing so from the beginning, Zoller says.

“The length you need to go through in 2019 to report vulnerabilities is astounding, it is also astounding to see how bug bounty platforms have the potential to be used to silence reports and/or researchers. Their terms and usages introduce a new element and dynamic in the researcher/vendor relationship,” the researcher concludes.

Related: Vulnerabilities Disclosed in Kaspersky, Trend Micro Products

Related: DLL Hijacking Flaw Impacts Symantec Endpoint Protection

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.