Risk: Low
Security software maker Sophos quickly updated its antivirus engine this month (October 2004), to plug a hole that would let virus writers manipulate compressed files and avoid detection. The vulnerability, discovered by iDefense, also affects McAfee, Computer Associates, Kaspersky Lab, Eset and RAV.
After being contacted by a 3rd party, Sophos acknowledged the vulnerability existed. A company representative said that vulnerable products will automatically update and that a fix will be available for download from the company's web site.
Sophos downplayed the seriousness of the problem, asserting that the risk was "theoretical" and that the company had not seen any examples of the vulnerability being exploited.
"Sophos has enhanced its scan engine (version 3.87.0) to deal with malformed Zip files," the representative said. "Sophos has not seen any examples of malware attempting to exploit this vulnerability. Furthermore, the vulnerability does not prevent Sophos' desktop on-access scanner from correctly detecting viruses that manage to bypass the email gateway software."
In related news, security software maker Symantec has hit back at claims by Secunia, a European security Web site, that hackers can turn off the auto-protect feature on some of Symantec's consumer antivirus and Internet security applications.
According to Secunia, some versions of Symantec's Norton AntiVirus contain errors that could let malicious users disable the product's auto-protect feature.
The Secunia advisory said vulnerable versions of the software could "be exploited by an unprivileged user to force the auto-protection to be disabled...It can further be exploited to download and execute malicious files that normally would be caught by the antivirus program."
But Symantec said that when the auto-protect function is disabled - by terminating the CCApp.exe process - Norton AntiVirus's auto-protect feature is still active.
"The termination of the CCApp.exe process does not result in Norton AntiVirus' auto-protect function being disabled," the Symantec representative said. "While terminating CCApp.exe will cause the disappearance of the Norton AntiVirus icon in the system tray and will disable notification of auto-protect, the user's system is still protected."
Neil Campbell, the national security manager of IT services company Dimension Data, said he is not surprised that the antivirus vendors are downplaying the risks, while the researchers that discover the vulnerabilities play them up.
"One of the ways to gain credibility as a security researcher is by identifying vulnerabilities," Campbell said. "It is in the researcher's best interests to talk potential problems up. The vendors naturally have to talk the problem down. And somewhere in-between there is the truth."
Campbell said a good way to determine the actual severity is to look at the number of people being affected and the impact the flaw is having.
"If you can't identify any victims, then you would tend to believe the vendors," he said. "But if you know that 5 million computers have been attacked, you would tend to believe the security researchers."