Next Page >>
anti/virus
CA20091008-01: Security Notice for CA Anti-Virus Engine
Issued: October 8, 2009
CA's support is alerting customers to multiple security risks
associated with CA Anti-Virus Engine. Vulnerabilities exist in
the arclib component that can allow a remote attacker to cause a
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
Insufficient argument validation of hooked SSDT functions
on multiple Antivirus and Firewalls
*Advisory Information*
Title: Insufficient argument validation of hooked SSDT functions on
Title: CA20090126-01: CA Anti-Virus Engine Detection Evasion
Multiple Vulnerabilities
CA Advisory Reference: CA20090126-01
CA Advisory Date: 2009-01-26
CA Advisory Updated: May 12, 2009
Abstract:
Some Windows antivirus software fails to detect, block and/or
disinfect/move/delete malware if the malware EXE file has only
execution permission and no read, write or other permissions.
The worst cases are NOD32 and Avast antivirus, which allow the
malware to run unimpeded. Avast has fixed the flaw while NOD32
is still vulnerable as of this writing.
Title: CA20090126-01: CA Anti-Virus Engine Detection Evasion
Multiple Vulnerabilities
CA Advisory Reference: CA20090126-01
CA Advisory Date: 2009-01-26
Kaspersky Lab Multiple Products Local Privilege Escalation Vulnerability
BACKGROUND
Due to its high level of professionalism and dedication, Kaspersky Lab has become a market leader in the development of antivirus protection. The company’s main product, Kaspersky Anti-Virus, regularly receives top awards in tests conducted by respected international research centers and IT publications. Kaspersky Lab was the first to develop many technological standards in the antivirus industry, including full-scale solutions for Linux, Unix and NetWare, a new-generation heuristic analyzer designed to detect newly emerging viruses, effective protection against polymorphic and macro viruses, continuously updated antivirus databases and a technique for detecting viruses in archived files.
Source: http://www.kaspersky.com
VULNERABLE PRODUCTS
________________________________________________________________________
Computer Associates (CA) Anti-Virus
Multiple products - arbitrary code execution
________________________________________________________________________
Release mode : Coordinated
Reference : [GSEC-46-2009] - Computer Associates multiple products RCE
WWW : http://blog.g-sec.lu/2009/10/computer-associates-multiple-products.html
Vendor : http://www.ca.com
Notification to patch window : x+n
Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html
Affected products (all versions) :
- Kaspersky Internet Security
- Kaspersky Anti-Virus
- Kaspersky Mobile Security
- Kaspersky Small Office Security
- Kaspersky Open Space Security
- Kaspersky Business Space Security
- Kaspersky Work Space Security
-Panda Security for Business with Exchange
4.04.10
-Panda Security for Enterprise 4.04.10
-Panda Internet Security 2010 (15.01.00)
-Panda Global Protection 2010 (3.01.00)
-Panda Antivirus Pro 2010 (9.01.00)
-Panda Antivirus for Netbooks (9.01.00)
(Provided by Panda)
-Panda Global Protection 2009
-Panda Internet Security 2009
-Panda Security for Business with Exchange
4.04.10
-Panda Security for Enterprise 4.04.10
-Panda Internet Security 2010 (15.01.00)
-Panda Global Protection 2010 (3.01.00)
-Panda Antivirus Pro 2010 (9.01.00)
-Panda Antivirus for Netbooks (9.01.00)
(Provided by Panda)
-Panda Global Protection 2009
-Panda Internet Security 2009
Disclosure Policy :
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html
Affected products :
# F-PROT AVES (High: complete bypass of engine)
# F-PROT Antivirus for Windows (unknown)
# F-PROT Antivirus for Windows on Mail Servers : (High: complete bypass of engine)
# F-PROT Antivirus for Exchange (High: complete bypass of engine)
# F-PROT Antivirus for Linux x86 Mail Servers : (High: complete bypass of engine)
# F-PROT Antivirus for Linux x86 File Servers : (High: complete bypass of engine)
# F-PROT Antivirus for Solaris SPARC / Solaris x86 Mail Servers (High: complete bypass of engine)
Disclosure Policy :
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html
This bug was reported 4 years ago [1] to FRISK, the response at that
time has been that "a fix for this bug will be included in future
versions of F-Prot Antivirus". Fast forward 4 years the same error
still allow to bypass the engine.
[1] CVE-2005-3499
http://www.zoller.lu/research/fprot.htm
http://web.nvd.nist.gov/view/vuln/detail?execution=e3s1
Severity: CA has given these vulnerabilities a maximum risk rating
of High.
Affected Products:
CA Anti-Virus for the Enterprise 7.1
CA Threat Manager for the Enterprise (formerly eTrust Integrated
Threat Management) r8
CA Threat Manager for the Enterprise (formerly eTrust Integrated
Threat Management) r8.1
CA Anti-Virus for the Enterprise (formerly eTrust Antivirus) r8
Disclosure Policy :
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html
Affected products (all versions up to 4.5.0 which is not released yet)
- F-PROT AVES (High: complete bypass of engine)
- F-PROT Antivirus for Windows (unknown)
- F-PROT Antivirus for Windows on Mail Servers : (High: complete bypass of engine)
- F-PROT Antivirus for Exchange (High: complete bypass of engine)
- F-PROT Antivirus for Linux x86 Mail Servers : (High: complete bypass of engine)
- F-PROT Antivirus for Linux x86 File Servers : (High: complete bypass of engine)
- F-PROT Antivirus for Solaris SPARC / Solaris x86 Mail Servers (High: complete bypass of engine)
Disclosure Policy :
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html
Affected products (all versions below 4.5.0 )
- F-PROT AVES (High: complete bypass of engine)
- F-PROT Antivirus for Windows (unknown)
- F-PROT Antivirus for Windows on Mail Servers : (High: complete bypass of engine)
- F-PROT Antivirus for Exchange (High: complete bypass of engine)
- F-PROT Antivirus for Linux x86 Mail Servers : (High: complete bypass of engine)
- F-PROT Antivirus for Linux x86 File Servers : (High: complete bypass of engine)
- F-PROT Antivirus for Solaris SPARC / Solaris x86 Mail Servers (High: complete bypass of engine)
Disclosure Policy :
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html
Affected products (all versions up to 4.5.0 which is not released yet)
- F-PROT AVES (High: complete bypass of engine)
- F-PROT Antivirus for Windows (unknown)
- F-PROT Antivirus for Windows on Mail Servers : (High: complete bypass of engine)
- F-PROT Antivirus for Exchange (High: complete bypass of engine)
- F-PROT Antivirus for Linux x86 Mail Servers : (High: complete bypass of engine)
- F-PROT Antivirus for Linux x86 File Servers : (High: complete bypass of engine)
- F-PROT Antivirus for Solaris SPARC / Solaris x86 Mail Servers (High: complete bypass of engine)
Affected products :
~~~~~~~~~~~~~~~~~~~
- F-Secure Internet Security 2009 and earlier
- F-Secure Anti-Virus 2009 and earlier
- F-Secure Home Server Security 2009
- Solutions based on F-Secure Protection Service for Consumers version 8.00 and earlier
- Solutions based on F-Secure Protection Service for Business - Workstation security version 8.00 and earlier
- Solutions based on F-Secure Protection Service for Business - E-mail and Server security version 8.00 and earlier
- F-Secure Client Security 8.01 and earlier
Quick Heal Local Privilege Escalation Vulnerability
BACKGROUND
Quick Heal Technologies is leading provider of AntiVirus and Internet Security tools and is leader in Anti-Virus Technology in India. A privately held company, Quick Heal Technologies Pvt. Ltd. (formerly known as Cat Computer Services (P) Ltd.) was founded in 1993 and has been actively involved in Research and Development of anti-virus software since then. Quick Heal an award-winning anti-virus product is installed in corporate, small business and consumers' homes, protecting their PCs from viruses and other malicious threats.
Source: http://www.quickheal.co.in
VULNERABLE PRODUCTS
Rising Multiple Products Local Privilege Escalation Vulnerability
BACKGROUND
RISING has introduced a variety of operating system based antivirus software, firewall software and enterprise antivirus wall, firewall, network security warning system and other hardware products. RISING is the third company in the world and the only one in China to provide a full range of information security products and professional services.
RISING is catering to over 60 million personal users and more than 70,000 corporate customers in Asia, Europe and Northern America. RISING technology for the search of unknown computer viruses is recognized and protected by patents in Europe, Japan and the United States of America.
Source: http://www.rising-global.com
VULNERABLE PRODUCTS
ShineShadow Security Report 15092009-09
TITLE
Local privilege escalation vulnerability in Protector Plus antivirus software
BACKGROUND
Protector Plus range of antivirus products are known the world over for their efficiency and reliability. Protector Plus Antivirus Software is available for Windows Vista, Windows XP, Windows Me, Windows 2000, Windows 98, Windows 2000/2003/NT server and NetWare platforms. Protector Plus Antivirus Software is the ideal antivirus protection for your computer against all types of malware like viruses, trojans, worms and spyware.
Virus detail: W32.Fakerecy and W32.SillyFDC are worms that spread by copying themselves to removable and/or mapped drives.
RESOLUTION
HP is providing the following procedure to resolve this vulnerability:
1. HP recommends that the optional HP USB Floppy Drive Key be checked for the potential virus infections and cleaned. To detect and clean this virus infection the HP USB Floppy Drive Key can be plugged into a USB 2.0 port on a system with current (up-to-date) anti-virus software and scanned.
2. If the optional HP USB Floppy Drive Key has been used in an environment without current (up-to-date) anti-virus software then the W32.Fakerecy or W32.SillyFDC virus may have spread to any mapped drives on the server. In this case HP recommends that the server and mapped drives are scanned with current (up-to-date) anti-virus software.
This virus infection would have been immediately detected and cleaned if the optional HP USB Floppy Drive Key had been used in an environment with any current (up-to-date) anti-virus software
Overview
Some versions of Symantec’s device driver SYMTDI.SYS contain a vulnerability which, if successfully exploited, could allow a local attacker to cause the system to crash.
Affected Products
Norton AntiSpam 2005
Norton AntiVirus 2005, 2006
Norton Internet Security 2005
Norton Personal Firewall 2005, 2006
Norton System Works 2005, 2006
Symantec AntiVirus Corporate Edition 10.0
Symantec AntiVirus Corporate Edition 10.1, prior to SAV 10.1 MR6 MP1
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Regarding the priviledge escalation report below for Panda Antivirus
2008, there is a fix available here:
http://www.pandasecurity.com/homeusers/support/card?id=41111&idIdioma=
2&ref=PAV08Dev
Users of vulnerable 2007 versions should upgrade to Panda Antivirus
Multiple file-parsing vulnerabilities leading to evasion in different antivirus(AV) products. All
affected products are command-line versions of
the AVs.
----------------------------
Vulnerability Descriptions
----------------------------
1. Specially crafted infected POSIX TAR files with "[aliases]" as first 9 bytes
evades detection.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: Clam AntiVirus: Multiple vulnerabilities
Date: October 23, 2011
Bugs: #338226, #347627, #354019, #378815, #387521
ID: 201110-20
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
=======================================================================
Document ID: ASPR #2011-01-11-1-PUB
Vendor: F-Secure Corp. (http://www.f-secure.com)
Target: F-Secure Internet Security 2010 and 2011
F-Secure Anti-Virus 2010 and 2011
(and multiple other F-Secure products)
Impact: Remote execution of arbitrary code
Severity: Very high
Status: Official patch available, workarounds available
Discovered by: Simon Raner of ACROS Security
Symantec Antivirus Intel Alert Handler Service Denial of Service
TSL ID: FSC20101213-06
1. Affected Software
Symantec Antivirus Corporate Edition 10.1.8.8000 and possibly prior
Symantec System Center 10.1.8.8000 and possibly prior
Reference: http://www.symantec.com/business/antivirus-corporate-edition
Disclosure Policy :
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html
Affected products :
- ESET Smart Security 4 (update #4036)
- ESET NOD32 Antivirus 4 (update #4036)
- ESET Smart Security 4 Business Edition (update #4036)
- ESET NOD32 Antivirus 4 Business Edition (update #4036)
- ESET NOD32 Antivirus for Exchange Server (update #4036)
- ESET Mail Security (update #4036)
- ESET NOD32 Antivirus for Lotus Domino Server (update #4036)
#####################################################################################
Application: QuickHeal antivirus 2010 Local Privilege Escalation
Platforms: Windows Vista SP2
Exploitation: Local Privilege Escalation
Date: 2009-12-16
Disclosure Policy :
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html
Affected products :
- ESET Smart Security 4 (before 15/04/2009)
- ESET NOD32 Antivirus 4 (before 15/04/2009)
- ESET Smart Security 4 Business Edition (before 15/04/2009)
- ESET NOD32 Antivirus 4 Business Edition (before 15/04/2009)
- ESET NOD32 Antivirus for Exchange Server (before 15/04/2009)
- ESET Mail Security (before 15/04/2009)
- ESET NOD32 Antivirus for Lotus Domino Server (before 15/04/2009)
Next Page>>
|
