Re: [Declude.Virus] New ZIP exploit confuses some AV products

[Greg Little]

Some (Most?) of the AV vendors have patches already. Looks like it was quietly announce to the AV vendors about 2 to 3 weeks ago. This mostly impacts e-mail scanning. It's worth the effort to check, if you have one of these vendors. (Some require upgraded software). This vulnerability affects multiple anti-virus vendors including McAfee, Computer Associates, Kaspersky, Sophos, Eset and RAV. For McAfee you just need the week old 4398 DATs. It is not in the wild yet, but does not look hard to do. (So while we have some time, ...) The problem specifically exists in the parsing of .zip archive headers. The .zip file format stores information about compressed files in two locations - a local header and a global header. The local header exists just before the compressed data of each file, and the global header exists at the end of the .zip archive. It is possible to modify the uncompressed size of archived files in both the local and global header without affecting functionality. This has been confirmed with both WinZip and Microsoft Compressed Folders. An attacker can compress a malicious payload and evade detection by some anti-virus software by modifying the uncompressed size within the local and global headers to zero. Scott, Since, this is a deliberately corrupt ZIP header can you add an exploit check? Greg Tito Macapinlac wrote: Hi, Here is a bulletin re: new vulnerability regarding zip files. Maybe another good reason to ban zip files if your AV is vulnerable. http://www.idefense.com/application/poi/display?id=153&type=vulnerabilities&flashstatus=true Tito --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.