________________________________________________________________________
F-SECURE multiple products - Generic PDF detection bypass
________________________________________________________________________
***********************************************************************
Cheap plug :
If you are interested in client-side vulnerabilities visit HACK.LU
starting tomorrow [28-30 Oct] with :
Workshop:
* Bypassing the Perimeter: Client Side Exploitation - Nitesh Dhanjani,
Billy K Rios
Talks :
* New advances in Office Malware analysis - Frank Boldewin
* PDF Penetration Document Format - Didier Stevens
* Ownage 2.0 - Saumil Shah (who else)
* Malicious PDF origamis strike back - Guillaume Delugré
Frederic Raynal
***********************************************************************
Release mode : Coordinated
Reference : [GSEC-48-2009] - F-Secure generic PDF bypass
WWW : http://www.g-sec.lu/fsecure-pdf-bypass.html
Vendor : http://www.f-secure.com
Status : Patched
CVE : none attributed yet
Credit : tba (probably FSC-2009-3)
Discovered by : Thierry Zoller (G-SEC)
Affected products :
~~~~~~~~~~~~~~~~~~~
- F-Secure Internet Security 2009 and earlier
- F-Secure Anti-Virus 2009 and earlier
- F-Secure Home Server Security 2009
- Solutions based on F-Secure Protection Service for Consumers version 8.00 and earlier
- Solutions based on F-Secure Protection Service for Business - Workstation security version 8.00 and earlier
- Solutions based on F-Secure Protection Service for Business - E-mail and Server security version 8.00 and earlier
- F-Secure Client Security 8.01 and earlier
- F-Secure Anti-Virus for Workstations 8.0 and earlier
- F-Secure Anti-Virus for Windows Servers 8.00 and earlier
- F-Secure Linux Security 7.02 and earlier
- F-Secure Anti-Virus Linux Client Security 5.54 and earlier
- F-Secure Anti-Virus Linux Server Security 5.54 and earlier
- F-Secure Anti-Virus for Linux Servers 4.65
- F-Secure Anti-Virus for Microsoft Exchange 8.00 and earlier
- F-Secure Internet Gatekeeper for Windows 6.61 and earlier
- F-Secure Internet Gatekeeper for Linux 3.02 and earlier
- F-Secure Internet Gatekeeper for Linux Japanese 2.37 and earlier
- F-Secure Anti-Virus for Citrix Servers 7.00 and earlier
- F-Secure Anti-Virus for MIMEsweeper 5.61 and earlier
Patch availability :
~~~~~~~~~~~~~~~~~~~~
Patches distributed through automatic updates
I. Background
~~~~~~~~~~~~~
Quote: "F-Secure offers a broad range of PC and internet security
products made for your home or business, so you will
always be protected. Our internet security, antivirus
and anti-spyware software is trusted by more than 180
internet service providers around the world. Moreover,
with 16 global offices and a presence within more than
100 countries, F-Secure is sure to be there for you and
your security software needs."
II. Description
~~~~~~~~~~~~~~~
Improper parsing of the PDF structure leads to evasion of detection of
malicious PDF documents at scantime and runtime.
This has been tested with several malicious PDF files and represents
a generic evasion of all PDF signatures and heuristics.
General information about evasion/bypasses can be found at :
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html
III. Impact
~~~~~~~~~~~
Known PDF exploits/malware may evade signature detection, 0day exploits
may evade heuristics.
IV. Disclosure timeline
~~~~~~~~~~~~~~~~~~~~~~~~~
DD.MM.YYYY
15.05.2009 - Reported to F-Secure
12.07.2009 - Patches deployed automatically, F-Secure waits to
coordinate public disclosure
< waiting for others to patch >
27.10.2009 - G-SEC releases this advisory
About G-SEC
~~~~~~~~~~~
G-SEC™ is a vendor independent luxemburgish led IT security consulting
group. More information available at : http://www.g-sec.lu/
