F-Secure warns of archive protocol danger

Security vendor F-Secure has warned of multiple critical vulnerabilities in its own and other vendors' products.

The vulnerabilities exist in the way the products respond to malformed archive files, and were discovered by researchers at the University of Oulu in Finland.

"The Secure Programming Group at Oulu University has created a collection of malformed archive files," wrote F-Secure director of antivirus research, Mikko Hyppönen, in a blog post on Monday. "These archive files break and crash products from at least 40 vendors — including several antivirus vendors… including us."

F-Secure products affected include F-Secure Internet Security 2008, F-Secure Anti-Virus 2008, F-Secure Mobile Anti-Virus for Windows Mobile 2003/5.0/6, and F-Secure Anti-Virus for Linux 4.65 and earlier versions, according to an F-Secure security bulletin. Successful exploitation of the vulnerabilities could result in remote code execution.

Other software affected includes Debian libarchive1, FreeBSD libarchive 3, Gentoo app-arch/libarchive and Suse libarchive, according to an advisory from the Finnish computer emergency response team, CERT-FI.

The University of Oulu researchers discovered the vulnerabilities in various archive file formats, including ZIP, as part of their Protos Genome Project. The project tested malformed archive protocols inputted into archive file formats. The research identified that "most implementations evaluated failed to perform in a robust manner", according to the CERT-FI advisory.

Patches are available for some of the affected F-Secure products via links in the F-Secure security bulletin, while patches for affected Linux products are available through links in the CERT-FI advisory.