Security Experts:

F-Secure Patches Old AV Bypass Vulnerability

A vulnerability addressed by F-Secure in some of its business products could have been exploited to bypass their scanning engine using malformed archives.

The patched issue is actually over a decade old — it was initially detailed in 2009 by security researcher Thierry Zoller — and resides in an anti-virus application’s inability to scan a compressed archive that a user can access.

There are multiple archive formats (ISO, ZIP, Bz2, RAR, GZIP, and others) that an attacker could use to avoid detection by affected cybersecurity products.

According to Zoller, email gateways and antivirus infrastructure are impacted the most, given that they cannot decompress the malformed archive to inspect its content. Users could still detect any malicious code upon extraction, but that still means some security services could be rendered useless, the researcher argues.

Despite being alerted to the existence of this bug ten years ago, many anti-virus companies did nothing to address it in their products, Zoller says.

Following the emergence of the first live attacks to exploit the vulnerability at scale for malware distribution, Zoller decided last year to check how various security products out there have been patched following his 2009 research.

What he discovered in November was that many remained vulnerable, so he decided to report the security flaw once again to the impacted vendors.

Last month, the researcher revealed that some vendors had already acted upon his reports and released patched for their products, including ESET, Kaspersky, Bitdefender, and Avira. Avira initially dismissed the report, saying the bypass does not represent a vulnerability.

Over the past week, Zoller published advisories detailing additional archive types that impacted ESET, Avira, and Kaspersky products. He also revealed that F-Secure too has fixed the flaw in both Windows and Linux products.

Affected F-Secure products include Email and Server Security, Internet Gatekeeper, and Cloud Protection for Salesforce. All could be bypassed using specially crafted RAR archives.

The security vendor pushed a fix for the Unix version (IGK) on January 20, with library version 17.0.605.474, Zoller notes. The patch for Windows was released in December 2019.

"We received this report back in October, and we worked directly with the researcher since then to fix different scanner bypasses for archive files, mostly on malformed RAR archives," an F-Secure spokesperson told SecurityWeek. "There are no indications this vulnerability is being actively exploited, and patches have been pushed out to the affected products." 

*Updated with comment from F-Secure

Related: Antivirus Vendors Patch Bug First Discovered 10 Years Ago

Related: Avast, Avira Products Vulnerable to DLL Hijacking

view counter