Antivirus holes zipped up

The antivirus firm Sophos claims to have closed a loophole in its software that was made public yesterday, and Symantec has hit back at Secunia's claims about Norton's flaws

Sophos updated its antivirus engine on Wednesday to plug a security hole that allowed virus writers to manipulate compressed files and avoid detection by the antivirus software's scans.

The vulnerability was discovered by US-based security firm iDEFENSE and also affected products from McAfee, Computer Associates, Kaspersky, Eset and RAV.

Sophos admitted the vulnerability existed on Tuesday after being contacted by ZDNet UK sister site ZDNet Australia. A spokesperson for the company said vulnerable products will automatically update today and a fix will be available for download from the company's Web site on Friday.

However, Sophos played down the seriousness of the problem, claiming that there was a "theoretical risk" and the company had not seen any examples of the vulnerability being exploited.

"Sophos has enhanced its scan engine (Version 3.87.0) to deal with malformed ZIP files. Sophos has not seen any examples of malware attempting to employ this vulnerability. Furthermore, the vulnerability does not prevent Sophos's desktop on-access scanner from correctly detecting viruses that manage to bypass the email gateway software," the spokesperson said.

Symantec on Wednesday hit back at claims by Secunia, a European security Web site, that hackers can turn off the auto protect feature on some of Symantec's consumer antivirus and Internet security applications.

According to Secunia, some versions of Norton AntiVirus contain errors that could allow malicious users to disable the product's auto-protect feature.

The Secunia advisory said vulnerable versions of the software could "be exploited by an unprivileged user to force the auto-protection to be disabled… It can further be exploited to download and execute malicious files that normally would be caught by the antivirus program." But Symantec told ZDNet UK sister site ZDNet Australia that when the auto-protect function is disabled – by terminating the CCApp.exe process – Norton AntiVirus’s auto-protect feature is still active.

"The termination of the CCApp.exe process does not result in Norton AntiVirus’s Auto-Protect function being disabled. While terminating CCApp.exe will cause the disappearance of the Norton AntiVirus icon in the system tray, and will disable notification of Auto-Protect, the user’s system is still protected," the Symantec spokesperson said.

Neil Campbell, the national security manager of IT services company Dimension Data, told ZDNet Australia he was not surprised that the antivirus vendors are playing down the risks while the researchers that discover the vulnerabilities play them up.

"One of the ways to gain credibility as a security researcher is by identifying vulnerabilities. It is in the researcher’s best interests to talk potential problems up. The vendors naturally have to talk the problem down and somewhere in-between there is the truth," said Campbell.

Campbell said a good way of deciding on the actual severity is to look at the number of people being affected and the impact the flaw is having.

"If you can’t identify any victims then you would tend to believe the vendors. But if you know that five million computers have been attacked you would tend to believe the security researchers," said Campbell.