<<< Date Index >>>     <<< Thread Index >>>

Addendum :[TZO-09-2009] Avast bypass / evasion (Limited details)



URL:
http://blog.zoller.lu/2009/04/release-mode-forced-release-vendor-has.html

Update : After the reaction from avast, it is now clear that all versions
and  products  are  affected,  however  there is no plan to patch, the
patch will come or will not come - sometime in the future.

You are encouraged to read the time line and draw your own conclusions.

Desktop Protection

    * avast! 4 Professional (impact low, reason real-time protection)
    * avast! 4 Home Edition (impact low, reason real-time protection)
    * avast! Pro Family pack (impact low, reason real-time protection)
    * avast! WHS Edition (impact low, reason real-time protection)
    * avast! Mac Edition (impact unknown)
    * avast! Linux Home Edition (impact unknown)
    * avast! U3 Edition (impact unknown)
    * avast! 4 BART CD (impact unknown)
    * avast! for PDA (impact unknown)

Corporate Protection

    * avast! 4 Server Edition(impact high, complete bypass)
    * avast! 4 Server Edition Plug-ins
    * avast! 4 Exchange Server Edition (impact high, complete bypass)
    * avast! 4 ISA Server Edition (impact high, complete bypass)
    * avast! 4 SharePoint Server Edition (impact high, complete bypass)
    * avast! 4 SMTP Server Edition (impact high, complete bypass)
    * avast! 4 Lotus Domino Edition (impact high, complete bypass)
    * avast! Distributed Network Manager (impact high, complete bypass)
    * avast! 4 Professional (impact unknown)
    * avast! 4 BART CD (impact unknown)
    * avast! for Linux/Unix Server (impact high, complete bypass)
    * avast! for PDA (impact unknown)
    * Net.Purum (impact unknown)

OEM

    * Copperfasten - Mail Firewall Appliance
    * TN North Software - Interner Anywhere eMailServer
    * IceWarp Software - Merak Email Server
    * SmartMax Software, Inc. - MailMax Server
    * NetWin Software - SurgeMail Email Server
    * Hexamail Ltd. - Hexamail Guard - Antivirus option
    * Bains Digital - Defender MX


Time line
''''''''''
    * 14/03/2009 : Send proof of concept, description the terms under which I 
cooperate and the planned disclosure date. There is no security adress listed 
at [1] and hence took the industry standard security contacts addresses secure@ 
and security@. secure@xxxxxxxx, secure@xxxxxxxxx, security@xxxxxxxxx 
security@xxxxxxxx

      No reply.

    * 10/04/2009 : Resending specifying this is the last attempt to disclose 
reponsibly. This time two known contact adresses that were previously used to 
report vulnerabilities were used: secalert@xxxxxxxxx, vlk@xxxxxxxxx

      No reply.

    * 17/04/2009 : Release of this advisory and begin of grace period.

    * 17/04/2009 : Avast replies quoting the mail sent on the 14/03/2009 and 
claims that this is a non issue because the POC would not correctly decompress.

    * 17/04/2009: Reply that the POC works as expected and asked why there has 
been no reaction to previous notifications.

      No reply.

    * 20/04/2009: Asked for patch timeline and affected version

    * 20/04/2009: Avast replies that all versions and all product ranges are 
affected, however "There's currently no plan to release a special patch for 
this as our risk assessment makes it a very low priority issue."

    * 20/04/2009: Replied that Avast can assesses the risk to loose customers 
and money; not the entire cumulated risk their customers run in specific 
environments.