Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > June 2006 > F-Secure Security Bulletin FSC-2006-4 Scanning bypass vulnerability in antivirus products for Windows

June 2006

F-Secure Security Bulletin FSC-2006-4 Scanning bypass vulnerability in antivirus products for Windows

ID: 00449
Ref: 436/2006
Date: 29 June 2006:14:28:05
Version: 1
Title: F-Secure Security Bulletin FSC-2006-4 Scanning bypass vulnerability in antivirus products for Windows
Abstract:
Vendors affected: F-Secure
Operating systems affected: F-Secure
Applications affected: F-Secure
Title
=====

F-Secure Security Bulletin FSC-2006-4 Scanning bypass vulnerability in antivirus products for Windows

Detail
======

F-Secure Security Bulletin FSC-2006-4
Scanning bypass vulnerability in antivirus products for Windows

Date issued 2006-06-28
Last updated 2006-06-28
Risk factor High (Low/Medium/High/Critical)

Brief description Antivirus products for Windows client and server systems
fail to detect malware under certain circumstances.
Failures of this kind may lead to malware infections on
protected systems. Linux, Mobile and Windows-based gateway
products are not affected by the vulnerability.

Software F-Secure Anti-Virus client and server products for the Windows
operating system

Affected versions F-Secure Anti-Virus 2003 - 2006
F-Secure Internet Security 2003 - 2006
F-Secure Service Platform for Service Providers 6.xx and earlier
F-Secure Anti-Virus for Workstations version 5.44 and earlier
F-Secure Anti-Virus Client Security version 6.01 and earlier
F-Secure Anti-Virus for Windows Servers version 5.52 and earlier
F-Secure Anti-Virus for Citrix Servers version 5.50 - 5.52
F-Secure Anti-Virus for MIMEsweeper version 5.61 and earlier
Note: Earlier versions of F-Secure Service Platform for
Service Providers are known as F-Secure Personal Express

Affected platforms Windows NT 4.0, Windows 2000, Windows XP and Windows Server 2003
Some of the affected product versions support other
platforms than those mentioned above. Installations on
such platforms are not affected by the vulnerability.

Bulletin location http://www.f-secure.com/security/fsc-2006-4.shtml


Issue:

The advisory and issued hotfixes address two separate scenarios that
both can lead to malware bypass.

1. The name of an executable program has been modified in a certain
way. This leads to scanning failure despite the fact that it may
be possible to execute the file.
2. The product fails to scan files on removable media. This occurs
only in certain configurations where the Scan network drives option
has been disabled.

Both scenarios may lead to system infection as the real-time scanner
may grant permission to execute program files even if they are
infected.The vulnerability cannot, to F-Secure's knowledge, be used for
privilege escalation attacks or to gain remote access to affected systems.


Products:

F-Secure Anti-Virus 2003 - 2006
F-Secure Internet Security 2003 - 2006
F-Secure Service Platform for Service Providers 6.xx and earlier
Co-branded service provider concepts based on one of the above products

Note: Earlier versions of F-Secure Service Platform for Service Providers
are known as F-Secure Personal Express

Risk Factor: Medium

These systems are affected by the vulnerability but the needed hotfixes
are distributed automatically to all the affected systems. Users do
not need to take any actions.


Products:

F-Secure Anti-Virus for MIMEsweeper version 5.61 and earlier

Risk Factor: Medium

These systems are affected by the vulnerability but their main task
is typically to filter mail traffic. The vulnerability only affects
local use of the computer and the risk for infection is thus
significantly lower.

F-Secure recommends that administrators of systems in this category
apply the needed hotfix or upgrade to a version that is not affected,
if available.


Products:

All other affected products

Risk Factor: High

All these products are typically used on systems where programs are
executed both from the hard drive and removable media.

F-Secure recommends that administrators of systems in this category
apply the needed hotfix or upgrade to a version that is not affected,
if available.


Mitigating Factors:

* Products for home users and service provider concepts use automatic
hotfix distribution and will be patched without user actions.
* The ability to execute program files with modified names is decreased.
Some of the methods that normally can be used to launch a program
fail with files modified in this way.
* The scanning failure on removable media only occurs if the Scan
network drives option has been turned off.
* Linux, Mobile and Windows-based gateway products are not affected by the vulnerability.
* The vulnerability only affects some of the platforms that the affected products support.


Patch and upgrade availability:

Product Versions Hotfix ID Download

F-Secure Anti-Virus - Hotfix distributed automatically, no user actions needed.
2003 - 2006

F-Secure Internet Security - Hotfix distributed automatically, no user actions needed.
2003 - 2006

F-Secure Personal Express 5.xx and Hotfix distributed automatically, no user actions needed.
earlier

F-Secure Internet Security 6.xx Hotfix distributed automatically, no user actions needed.
for Service Providers

F-Secure Anti-Virus 5.42 - 5.44 Hotfix fsavwk620-02:
for Workstations ftp://ftp.f-secure.com/support/hotfix/fsavcs/fsavwk620-02-signed.fsfix
Or upgrade with remote installation package 5.44 build 12250
ftp://ftp.f-secure.com/support/hotfix/fsav/fsav_5.44-wks-12250-signed.jar

F-Secure Anti-Virus 5.54 - 6.01 Hotfix fsavwk620-02:
Client Security version ftp://ftp.f-secure.com/support/hotfix/fsavcs/fsavwk620-02-signed.fsfix
Or upgrade with remote installation package 5.55SR3, 5.58 or 6.02
ftp://ftp.f-secure.com/support/hotfix/fsavcs/fsavcs_5.55-SR3-12251-signed.jar
ftp://ftp.f-secure.com/support/hotfix/fsavcs/fsavcs_5.58-12250-signed.jar
ftp://ftp.f-secure.com/support/hotfix/fsavcs/fsavcs_6.02-12250-signed.jar

F-Secure Anti-Virus 5.50 - 5.52 Hotfix fsavsr552-05
for Windows Servers ftp://ftp.f-secure.com/support/hotfix/fsav-server/fsavsr552-05-signed.fsfix
Or upgrade with remote installation package 5.52 build 12250
ftp://ftp.f-secure.com/support/hotfix/fsav-server/fsav_5.52-srv-12250-signed.jar

F-Secure Anti-Virus 5.50 - 5.52 Hotfix fsavsr552-05:
for Citrix Servers ftp://ftp.f-secure.com/support/hotfix/fsav-server/fsavsr552-05-signed.fsfix

F-Secure Anti-Virus 5.61 Hotfix fsavsr552-05:
for MIMEsweeper ftp://ftp.f-secure.com/support/hotfix/fsav-server/fsavsr552-05-signed.fsfix


Revision History: FSC-2006-4 - 2006-06-28

Contact Information: Support: http://support.f-secure.com/enu/corporate/contactus/
Security: http://www.f-secure.com/security/
URL: http://www.f-secure.com/
  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |