Vigil@nce - F-Secure AV: bypassing via 7Z, GZIP, CAB and RAR
April 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An attacker can create a 7Z, GZIP, CAB or RAR archive containing a
virus, which is not detected by F-Secure products.
Severity: 2/4
Creation date: 12/04/2010
DESCRIPTION OF THE VULNERABILITY
F-Secure products support 7Z, GZIP, CAB and RAR archives, which
contain one or several files.
Tools extracting these archives (7Zip, gunzip, etc.) accept to
extract archives which are slightly malformed.
However, the F-Secure Anti-Virus rejects these malformed archives,
and does not detect included viruses.
An attacker can therefore create a 7Z, GZIP, CAB or RAR archive
containing a virus, which is not detected by F-Secure products,
but which is extracted by extraction tools. The virus is then
detected once it has been extracted on victim’s computer.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/F-Secure-AV-bypassing-via-7Z-GZIP-CAB-and-RAR-9570