Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > May 2006 > Sophos Advisory: Crafted Microsoft CAB file can allow arbitrary code to be run

May 2006

Sophos Advisory: Crafted Microsoft CAB file can allow arbitrary code to be run

ID: 00347
Ref: 340/2006
Date: 11 May 2006:14:17:04
Version: 1
Title: Sophos Advisory: Crafted Microsoft CAB file can allow arbitrary code to be run
Abstract: A vulnerability has been discovered in Sophos's unpacking of Microsoft Cabinet files, whereby a Microsoft Cabinet (CAB) file could be deliberately crafted to allow an attacker to execute arbitrary code on a vulnerable installation of Sophos Anti-Virus.
Vendors affected: Sophos
Operating systems affected: Sophos
Applications affected: Sophos
Title
=====

Sophos Advisory: Crafted Microsoft CAB file can allow arbitrary code to be run

Detail
======

A vulnerability has been discovered in Sophos's unpacking of Microsoft Cabinet files,
whereby a Microsoft Cabinet (CAB) file could be deliberately crafted to allow an attacker
to execute arbitrary code on a vulnerable installation of Sophos Anti-Virus.

Although theoretically a risk, Sophos has not seen any examples of malware attempting
to employ this vulnerability.

Furthermore, the vulnerability does not prevent Sophos's desktop on-access scanner
from correctly detecting viruses (and preventing actual infection) which are unpacked
from affected files, so the risks of infection are very small.

Sophos has ensured that all of its products are protected against this issue.

Where necessary, you should upgrade to versions that are unaffected.
Customers using EM Library and Sophos small business solutions will have received these updates automatically.
Sophos Anti-Virus Affected versions Non-affected versions Update available
Sophos Anti-Virus for Windows 2000/XP/2003 v 5 5.2.0 and below 5.2.1 and above 5 May 2006
Sophos Anti-Virus for Windows 95/98/Me v 4.5 4.5.11 and below 4.5.12 and above 28 April 2006
Sophos Anti-Virus for Windows NT v 4.5 4.5.11 and below 4.5.12 and above 28 April 2006
Sophos Anti-Virus for Windows NT/2000/XP/2003 v 4.0x 4.04 and below 4.05 and above 28 April 2006
Sophos Anti-Virus for Windows 95/98/Me v 4.0x 4.04 and below 4.05 and above 28 April 2006
Sophos Anti-Virus for Mac OS X v 4.7 4.7.1 and below 4.7.2 and above 28 April 2006
Sophos Anti-Virus for Mac OS 8/9 4.04 and below 4.05 and above 28 April 2006
Sophos Anti-Virus for UNIX/Linux 4.04 and below 4.05 and above 28 April 2006
Sophos Anti-Virus for NetWare 4.04 and below 4.05 and above 28 April 2006
Sophos Anti-Virus for OS/2 4.04 and below 4.05 and above 28 April 2006
Sophos Anti-Virus for OpenVMS 4.04 and below 4.05 and above 28 April 2006
Sophos Anti-Virus for DOS/Windows 3.1x 4.04 and below 4.05 and above 28 April 2006

Small business solutions Affected versions Non-affected versions Update available
Sophos Anti-Virus Small Business Edition (Windows) 4.04 and below 4.05 and above 28 April 2006
Sophos Anti-Virus Small Business Edition (Mac) 4.04 and below 4.05 and above 28 April 2006
PureMessage Small Business Edition 4.04 and below 4.05 and above 28 April 2006

Gateway products Affected versions Non-affected versions Update available
PureMessage for Windows/Exchange SAV version 5.2.0 and below SAV version 5.2.1 and above 5 May 2006
PureMessage for UNIX SAV version 4.04 and below SAV version 4.05 and above 28 April 2006
MailMonitor for SMTP - Windows SAV version 4.04 and below SAV version 4.05 and above 28 April 2006
MailMonitor for SMTP - Windows SAV version 4.04 and below SAV version 4.05 and above 28 April 2006
MailMonitor for Notes/Domino SAV version 4.04 and below SAV version 4.05 and above 28 April 2006
MailMonitor for Exchange SAV version 4.04 and below SAV version 4.05 and above 28 April 2006

Sophos thanks TippingPoint for their assistance in identifying this vulnerability.

Technical details
A flaw exists within the unpacking of Microsoft Cabinet files. Parsing a specially crafted cabinet
file can lead to an exploitable heap corruption. This vulnerability is only exposed when cabinet
file inspection is explicitly enabled.

Authentication is not required to exploit this vulnerability. This vulnerability could allow a remote
attacker to execute arbitrary code on a vulnerable installation of Sophos Anti-Virus.

If you need more information or guidance, then please contact technical support.

URL: http://www.sophos.com/support/knowledgebase/article/4934.html
  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |