Sophos corrects 'theoretical' flaw

Security software maker updates antivirus engine to plug hole that lets virus writers manipulate compressed files and avoid detection.

Security software maker Sophos updated its antivirus engine on Wednesday to plug a hole that would let virus writers manipulate compressed files and avoid detection.

The vulnerability was discovered by U.S.-based security company iDefense and also affects McAfee, Computer Associates, Kaspersky Lab, Eset and GeCAD Software's RAV.

On Tuesday, after being contacted by ZDNet Australia, Sophos acknowledged the vulnerability existed. A company representative said that vulnerable products will automatically update Wednesday and that a fix will be available for download from the company's Web site on Friday.

Sophos downplayed the seriousness of the problem, asserting that the risk was "theoretical" and that the company had not seen any examples of the vulnerability being exploited.

"Sophos has enhanced its scan engine (version 3.87.0) to deal with malformed Zip files," the representative said. "Sophos has not seen any examples of malware attempting to employ this vulnerability. Furthermore, the vulnerability does not prevent Sophos' desktop on-access scanner from correctly detecting viruses that manage to bypass the e-mail gateway software."

In related news, security software maker Symantec on Wednesday hit back at claims by Secunia, a European security Web site, that hackers can turn off the auto-protect feature on some of Symantec's consumer antivirus and Internet security applications.

According to Secunia, some versions of Symantec's Norton AntiVirus contain errors that could let malicious users disable the product's auto-protect feature.

The Secunia advisory said vulnerable versions of the software could "be exploited by an unprivileged user to force the auto-protection to be disabled...It can further be exploited to download and execute malicious files that normally would be caught by the antivirus program."

But Symantec said that when the auto-protect function is disabled--by terminating the CCApp.exe process--Norton AntiVirus’s auto-protect feature is still active.

"The termination of the CCApp.exe process does not result in Norton AntiVirus' auto-protect function being disabled," the Symantec representative said. "While terminating CCApp.exe will cause the disappearance of the Norton AntiVirus icon in the system tray and will disable notification of auto-protect, the user’s system is still protected."

Neil Campbell, the national security manager of IT services company Dimension Data, said he is not surprised that the antivirus vendors are downplaying the risks while the researchers that discover the vulnerabilities play them up.

"One of the ways to gain credibility as a security researcher is by identifying vulnerabilities," Campbell said. "It is in the researcher's best interests to talk potential problems up. The vendors naturally have to talk the problem down. And somewhere in-between there is the truth."

Campbell said a good way to determine the actual severity is to look at the number of people being affected and the impact the flaw is having.

"If you can't identify any victims, then you would tend to believe the vendors," he said. "But if you know that 5 million computers have been attacked, you would tend to believe the security researchers."

Munir Kotadia of ZDNet Australia reported from Sydney.