ZOO archive issues hit security vendors

Posted by   Virus Bulletin on   May 9, 2007

Errors handling rare format patched by four AV and anti-spam products.

A researcher has revealed details of flawed implementation of a somewhat archaic archive format, .zoo, which has required patching in several anti-virus products and a popular anti-spam appliance, and also affects some archiving software.

Products from Avira, Alwil and Panda were all patched in late March and early April, as was the Barracuda Spam Firewall, after the vendors were informed of the infinite-loop issue by the researcher, Jean-Sebastien Guay-Leroux. In some cases exploitation of the flaw could have been used to cause extremely high processor usage or even denial of service in the security software, leaving systems vulnerable to further attack or blocking mail transfer on affected SMTP servers.

The flaw was first discovered in September last year, and all affected vendors were informed by March 19th. The last vendor to apply a patch, Alwil, released its fix in mid-April, and the vulnerability is being made public despite remaining issues with two archivers, PicoZip and WinAce, which are both affected by the flaw but whose makers have yet to respond to the researcher.

Most users of the affected products should be automatically protected by recent updates, but users are advised to check that they are running the latest versions of their security software at all times to ensure the best possible protection. More details of the flaws, including proof-of-concept exploit code, can be found at the researcher's site, here.

Trend Micro, troubled by a string of vulnerabilities in recent months, has also released details of two more buffer-overflow issues, which are thought to be exploitable only from the local system. Trend's patch releases covering the issues are here, advisories from the Zero Day Initiative are here and here, and a Secunia alert is here.

Posted on 09 May 2007 by Virus Bulletin



Latest posts:

First 11 partners of VB2019 announced

We are excited to announce the first 11 companies to partner with VB2019, whose support will help ensure a great event.

VB2018 paper: Fake News, Inc.

A former reporter by profession, Andrew Brandt's curiosity was piqued when he came across what appeared at first glance to be the website of a small-town newspaper based in Illinois, but under scrutiny, things didn’t add up. At VB2018 he presented a…

Paper: Alternative communication channel over NTP

In a new paper published today, independent researcher Nikolaos Tsapakis writes about the possibilities of malware using NTP as a covert communication channel and how to stop this.

VB2019 conference programme announced

VB is excited to reveal the details of an interesting and diverse programme for VB2019, the 29th Virus Bulletin International Conference, which takes place 2-4 October in London, UK.

VB2018 paper: Under the hood - the automotive challenge

Car hacking has become a hot subject in recent years, and at VB2018 in Montreal, Argus Cyber Security's Inbar Raz presented a paper that provides an introduction to the subject, looking at the complex problem, examples of car hacks, and the…

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.