Virtual Event Now Live: Zero Trust Strategies Summit! - Login for Access
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

F-Secure Patches Old AV Bypass Vulnerability

A vulnerability addressed by F-Secure in some of its business products could have been exploited to bypass their scanning engine using malformed archives.

A vulnerability addressed by F-Secure in some of its business products could have been exploited to bypass their scanning engine using malformed archives.

The patched issue is actually over a decade old — it was initially detailed in 2009 by security researcher Thierry Zoller — and resides in an anti-virus application’s inability to scan a compressed archive that a user can access.

There are multiple archive formats (ISO, ZIP, Bz2, RAR, GZIP, and others) that an attacker could use to avoid detection by affected cybersecurity products.

According to Zoller, email gateways and antivirus infrastructure are impacted the most, given that they cannot decompress the malformed archive to inspect its content. Users could still detect any malicious code upon extraction, but that still means some security services could be rendered useless, the researcher argues.

Despite being alerted to the existence of this bug ten years ago, many anti-virus companies did nothing to address it in their products, Zoller says.

Following the emergence of the first live attacks to exploit the vulnerability at scale for malware distribution, Zoller decided last year to check how various security products out there have been patched following his 2009 research.

What he discovered in November was that many remained vulnerable, so he decided to report the security flaw once again to the impacted vendors.

Last month, the researcher revealed that some vendors had already acted upon his reports and released patched for their products, including ESET, Kaspersky, Bitdefender, and Avira. Avira initially dismissed the report, saying the bypass does not represent a vulnerability.

Advertisement. Scroll to continue reading.

Over the past week, Zoller published advisories detailing additional archive types that impacted ESET, Avira, and Kaspersky products. He also revealed that F-Secure too has fixed the flaw in both Windows and Linux products.

Affected F-Secure products include Email and Server Security, Internet Gatekeeper, and Cloud Protection for Salesforce. All could be bypassed using specially crafted RAR archives.

The security vendor pushed a fix for the Unix version (IGK) on January 20, with library version 17.0.605.474, Zoller notes. The patch for Windows was released in December 2019.

“We received this report back in October, and we worked directly with the researcher since then to fix different scanner bypasses for archive files, mostly on malformed RAR archives,” an F-Secure spokesperson told SecurityWeek. “There are no indications this vulnerability is being actively exploited, and patches have been pushed out to the affected products.” 

*Updated with comment from F-Secure

Related: Antivirus Vendors Patch Bug First Discovered 10 Years Ago

Related: Avast, Avira Products Vulnerable to DLL Hijacking

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

Omkhar Arasaratnam, former GM at OpenSSF, is LinkedIn's first Distinguised Security Engineer

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.