Security Experts:

Connect with us

Hi, what are you looking for?



F-Secure Patches Old AV Bypass Vulnerability

A vulnerability addressed by F-Secure in some of its business products could have been exploited to bypass their scanning engine using malformed archives.

A vulnerability addressed by F-Secure in some of its business products could have been exploited to bypass their scanning engine using malformed archives.

The patched issue is actually over a decade old — it was initially detailed in 2009 by security researcher Thierry Zoller — and resides in an anti-virus application’s inability to scan a compressed archive that a user can access.

There are multiple archive formats (ISO, ZIP, Bz2, RAR, GZIP, and others) that an attacker could use to avoid detection by affected cybersecurity products.

According to Zoller, email gateways and antivirus infrastructure are impacted the most, given that they cannot decompress the malformed archive to inspect its content. Users could still detect any malicious code upon extraction, but that still means some security services could be rendered useless, the researcher argues.

Despite being alerted to the existence of this bug ten years ago, many anti-virus companies did nothing to address it in their products, Zoller says.

Following the emergence of the first live attacks to exploit the vulnerability at scale for malware distribution, Zoller decided last year to check how various security products out there have been patched following his 2009 research.

What he discovered in November was that many remained vulnerable, so he decided to report the security flaw once again to the impacted vendors.

Last month, the researcher revealed that some vendors had already acted upon his reports and released patched for their products, including ESET, Kaspersky, Bitdefender, and Avira. Avira initially dismissed the report, saying the bypass does not represent a vulnerability.

Over the past week, Zoller published advisories detailing additional archive types that impacted ESET, Avira, and Kaspersky products. He also revealed that F-Secure too has fixed the flaw in both Windows and Linux products.

Affected F-Secure products include Email and Server Security, Internet Gatekeeper, and Cloud Protection for Salesforce. All could be bypassed using specially crafted RAR archives.

The security vendor pushed a fix for the Unix version (IGK) on January 20, with library version 17.0.605.474, Zoller notes. The patch for Windows was released in December 2019.

“We received this report back in October, and we worked directly with the researcher since then to fix different scanner bypasses for archive files, mostly on malformed RAR archives,” an F-Secure spokesperson told SecurityWeek. “There are no indications this vulnerability is being actively exploited, and patches have been pushed out to the affected products.” 

*Updated with comment from F-Secure

Related: Antivirus Vendors Patch Bug First Discovered 10 Years Ago

Related: Avast, Avira Products Vulnerable to DLL Hijacking

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.