-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                       ESB-2008.0164 -- [Win][Linux]
       F-Secure - Specially crafted CAB and RAR archives can bypass
                            antivirus scanning
                             26 February 2008

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              F-Secure Internet Security 2008
                      F-Secure Internet Security 2007 Second Edition
                      F-Secure Internet Security 2007
                      F-Secure Internet Security 2006
                      F-Secure Anti-Virus 2008
                      F-Secure Anti-Virus 2007 Second Edition
                      F-Secure Anti-Virus 2007
                      F-Secure Anti-Virus 2006
                      F-Secure Anti-Virus Client Security 7.10
                      F-Secure Anti-Virus Client Security 7.01
                      F-Secure Anti-Virus Client Security 6.04
                      F-Secure Anti-Virus Client Security 6.03
                      F-Secure Anti-Virus for Workstations 7.10
                      F-Secure Anti-Virus for Workstations 7.00
                      F-Secure Anti-Virus for Workstations 5.44
                      F-Secure Anti-Virus Linux Client Security 5.53
                      F-Secure Anti-Virus Linux Client Security 5.52
                      F-Secure Anti-Virus for Linux 4.65
                      F-Secure Protection Service for Consumers version 7.00 and prior
                      F-Secure Protection Service for Business version 3.00 and prior
                      F-Secure Anti-Virus for Windows Servers 7.00
                      F-Secure Anti-Virus for Windows Servers 5.52
                      F-Secure Anti-Virus for Citrix Servers 5.52
                      F-Secure Anti-Virus Linux Server Security 5.53
                      F-Secure Anti-Virus Linux Server Security 5.52
                      F-Secure Anti-Virus for Microsoft Exchange 7.0
                      F-Secure Anti-Virus for Microsoft Exchange 6.62
                      F-Secure Internet Gatekeeper 6.61, Windows
                      F-Secure Internet Gatekeeper for Linux 2.16
                      F-Secure Anti-Virus for MIMEsweeper 5.61
                      F-Secure Messaging Security Gateway 4.0.7 and prior
Publisher:            F-Secure
Operating System:     Windows
                      Linux variants
Impact:               Inappropriate Access
                      Provide Misleading Information
Access:               Remote/Unauthenticated
CVE Names:            CVE-2008-0792 CVE-2008-0910

Revision History:     February 26 2008: Issue CVE-2008-0910 discovered 
                        which is related to CVE-2008-0792 the topic of 
                        this bulletin.
                      February 14 2008: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

F-Secure Security Bulletin FSC-2008-1/FSC-2007-7
Vulnerabilities in scanning of specially crafted CAB and RAR archives

   Date issued: 2008-02-13
   Last updated: 2008-02-13
   Risk factor: High (Low/Medium/High/Critical)
   Brief description: Specially crafted CAB and RAR archives can bypass
                      antivirus scanning.
   Affected platforms: All supported platforms
   Clients:
   Products:
   * F-Secure Internet Security 2008
   * F-Secure Internet Security 2007 Second Edition
   * F-Secure Internet Security 2007
   * F-Secure Internet Security 2006
   * F-Secure Anti-Virus 2008
   * F-Secure Anti-Virus 2007 Second Edition
   * F-Secure Anti-Virus 2007
   * F-Secure Anti-Virus 2006
   * F-Secure Anti-Virus Client Security 7.10
   * F-Secure Anti-Virus Client Security 7.01
   * F-Secure Anti-Virus Client Security 6.04
   * F-Secure Anti-Virus Client Security 6.03
   * F-Secure Anti-Virus for Workstations 7.10
   * F-Secure Anti-Virus for Workstations 7.00
   * F-Secure Anti-Virus for Workstations 5.44
   * F-Secure Anti-Virus Linux Client Security 5.53
   * F-Secure Anti-Virus Linux Client Security 5.52
   * F-Secure Anti-Virus for Linux 4.65
   * Solutions based on F-Secure Protection Service for Consumers version
     7.00 and earlier
   * Solutions based on F-Secure Protection Service for Business version
     3.00 and earlier
   Risk Factor: Medium

   User is able to move infected archives to and from client, but client
   does not get infected.
     _________________________________________________________________

   Mitigating Factors:
     * Exploitation of these vulnerabilities requires specially crafted
       archives
     * The CAB issue has been fixed automatically in F-Secure database
       updates, while fixing the RAR archive scanning requires installing
       the hotfix below.
     * Client software catches hostile content after CAB/RAR container is
       opened thus making infection impossible
     _________________________________________________________________

   Servers:
   Products:
   * F-Secure Anti-Virus for Windows Servers 7.00
   * F-Secure Anti-Virus for Windows Servers 5.52
   * F-Secure Anti-Virus for Citrix Servers 5.52
   * F-Secure Anti-Virus Linux Server Security 5.53
   * F-Secure Anti-Virus Linux Server Security 5.52
   Risk Factor: Medium

   User is able to move infected content to and from servers
     _________________________________________________________________

   Mitigating Factors:
     * Exploitation of these vulnerabilities requires specially crafted
       archives
     * The CAB issue has been fixed automatically in F-Secure database
       updates, while fixing the RAR archive scanning requires installing
       the hotfix below.
     * Server software does not scan by default CAB/RAR packed content.
       When the container is opened the exposed content is scanned thus
       making infection impossible.
     _________________________________________________________________

   Gateways:
   Products:
   * F-Secure Anti-Virus for Microsoft Exchange 7.0
   * F-Secure Anti-Virus for Microsoft Exchange 6.62
   * F-Secure Internet Gatekeeper 6.61, Windows
   * F-Secure Internet Gatekeeper for Linux 2.16
   * F-Secure Anti-Virus for MIMEsweeper 5.61
   * F-Secure Messaging Security Gateway 4.0.7 and earlier
   Risk Factor: High

   The gateway passes archives unscanned
     _________________________________________________________________

   Mitigating Factors:
     * Exploitation of these vulnerabilities requires specially crafted
       archives
     * The CAB issue has been fixed automatically in F-Secure database
       updates, while fixing the RAR archive scanning requires installing
       the hotfix below.
     _________________________________________________________________

   Bulletin location: http://www.f-secure.com/security/fsc-2008-1.shtml

   Patch availability:
   * Product    Versions    Hotfix ID
     Download

   * F-Secure Anti-Virus Client Security 6.03 6.04 fsavwk604-01
     ftp://ftp.f-secure.com/support/hotfix/fsavcs/fsavwk604-01-signed.fsfix

   * F-Secure Anti-Virus Client Security 7.00-7.10 fsav741-02
     ftp://ftp.f-secure.com/support/hotfix/fsavcs/fsav741-02-signed.fsfix
   * F-Secure Anti-Virus for Workstations 5.44 fsavwk572-01
     ftp://ftp.f-secure.com/support/hotfix/fsav/fsavwk572-01-signed.fsfix
   * F-Secure Anti-Virus for Workstations 7.00-7.10 fsav741-02
     ftp://ftp.f-secure.com/support/hotfix/fsav/fsav741-02-signed.fsfix
   * F-Secure Anti-Virus for Windows Servers 5.52 fsavsr552-14
     ftp://ftp.f-secure.com/support/hotfix/fsav-server/fsavsr552-14-signed.fsfix
   * F-Secure Anti-Virus for Windows Servers 7.00 fsav720-03
     ftp://ftp.f-secure.com/support/hotfix/fsav-server/fsav720-03-signed.fsfix
   * F-Secure Anti-Virus for Citrix Servers 5.52 fsavsr552-14
     ftp://ftp.f-secure.com/support/hotfix/fsav-server/fsavsr552-14-signed.fsfix
   * F-Secure Anti-Virus Linux Client Security 5.52 New product build#7020
     http://www.f-secure.com/webclub/fscsl.html
   * F-Secure Anti-Virus Linux Client Security 5.53 New product build#7020
     http://www.f-secure.com/webclub/fscsl.html
   * F-Secure Anti-Virus Linux Server Security 5.52 New product build#7020
     http://www.f-secure.com/webclub/fsssl.html
   * F-Secure Anti-Virus Linux Server Security 5.53 New product build#7020
     http://www.f-secure.com/webclub/fsssl.html
   * F-Secure Anti-Virus for Linux Gateways 4.65 New product build#7020
     http://www.f-secure.com/webclub/fsavgwl.html
   * F-Secure Anti-Virus for Linux Servers 4.65 New product build#7020
     http://www.f-secure.com/webclub/fsavsrvl.html
   * F-Secure Anti-Virus for Microsoft Exchange 6.62 fsavmse662-04
     ftp://ftp.f-secure.com/support/hotfix/fsav-mse/fsavmse662-04.zip
   * F-Secure Anti-Virus for Microsoft Exchange 7.00 fsavmse700-01
     ftp://ftp.f-secure.com/support/hotfix/fsav-mse/fsavmse700-01.zip
   * F-Secure Internet Gatekeeper 6.61 fsigk661-01
     ftp://ftp.f-secure.com/support/hotfix/fsig/fsigk661-01.zip
   * F-Secure Internet Gatekeeper for Linux 2.16 New product build#533
     http://www.f-secure.com/webclub/fsigkl.html
   * F-Secure Anti-Virus for MIMEsweeper 5.61 fsavsr552-14
     ftp://ftp.f-secure.com/support/hotfix/fsav-msw/fsavsr552-14-signed.fsfix
   * F-Secure Messaging Security Gateway 3.x
     Unsupported version. Please upgrade to the latest version.
   * F-Secure Messaging Security Gateway 4.0.6 4.0.7
     Packages will be available in the update channel, and installed automatically.
   * Protection Services For Consumers 5 and 6
     Packages will be available in the update channel, and installed automatically.
   * Protection Services For Businesses 3
     Packages will be available in the update channel, and installed automatically.
   * F-Secure Internet Security 2006, 2007, 2007 Second Edition, 2008
     Packages will be available in the update channel, and installed automatically.

   Credits: F-Secure wants to thank Mr Thierry Zoller at n.runs AG for
   reporting these issues.

   Revision History: FSC-2008-02-13

   Contact Information:
   Support: http://support.f-secure.com/enu/home/contactus/
   Security: http://www.f-secure.com/security/
   URL: http://www.f-secure.com/


- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBR8OflSh9+71yA2DNAQIIAgP/c16GK5TgXOonnWIoJQsqsd6w0c6opIHh
xLQOOg4MhcHxvlulG+k1sY9JdBzyrHsVXXHY5amiF+CHoTMegjpEqONrQqLcSRyl
3jUhENC5wCZb/BlthYwA25u79QmxF8tK9ZSTdYQFubS1Wr5KjvXn7xi7wg/dfuwa
OFmFi+2PXMI=
=PXBD
-----END PGP SIGNATURE-----