Software flaws have become serious vulnerabilties for companies today, as the security measures have become much better along the perimeter. And it's not just the flaws in enterprise and ISV code -- even code written by major antivirus companies can be at risk. F-Secure just posted a couple security bulletins around vulnerabilities in their antivirus products. Of particular interest is a buffer overflow in handling LHA archives. Successful exploitation would allow an attacker to execute arbitrary code on the system with elevated privileges.

File format vulnerabilities are nothing new but they are certainly becoming more prevalent, often with far-reaching effects. The ANI vulnerability patched a couple months ago affected every version of Windows since Windows 2000. However, the attack vector relied on the victim visiting a website or otherwise attempting to view a malicious ANI (animated cursor) file. With an antivirus product, the attack vector is even more straightforward, since it is triggered as soon as the scanning engine attempts to unpack and scan the file for viruses. Many people have their AV configured to periodically scan incoming e-mail attachments as they arrive -- suddenly, the trusted gatekeeper becomes the weak link in the security chain.

All antivirus products have to deal with this challenge, and F-Secure is certainly not the first AV vendor to have this problem. In fact, most of the major AV products have announced similar vulnerabilities in the past. AV products contain extremely complex unpacking and parsing code due to the variety of file formats that they have to support.

This particular LHA vulnerability is related to the gzip vulnerability from last fall, which affected dozens if not hundreds of vendors whose products relied on the GNU gzip utility. This goes to show that you should apply the same code security testing process to third-party libraries as with the code you develop in-house. Third-party code still needs to be security tested and not simply assumed to be correct.

About Chris Eng

Chris Eng, vice president of research, is responsible for integrating security expertise into Veracode’s technology. In addition to helping define and prioritize the security feature set of the Veracode service, he consults frequently with customers to discuss and advance their application security initiatives. With over 15 years of experience in application security, Chris brings a wealth of practical expertise to Veracode.

Comments (0)

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.