Addendum :[TZO-09-2009] Avast bypass / evasion (Limited details)
URL:
http://blog.zoller.lu/2009/04/release-mode-forced-release-vendor-has.html
Update : After the reaction from avast, it is now clear that all versions
and products are affected, however there is no plan to patch, the
patch will come or will not come - sometime in the future.
You are encouraged to read the time line and draw your own conclusions.
Desktop Protection
* avast! 4 Professional (impact low, reason real-time protection)
* avast! 4 Home Edition (impact low, reason real-time protection)
* avast! Pro Family pack (impact low, reason real-time protection)
* avast! WHS Edition (impact low, reason real-time protection)
* avast! Mac Edition (impact unknown)
* avast! Linux Home Edition (impact unknown)
* avast! U3 Edition (impact unknown)
* avast! 4 BART CD (impact unknown)
* avast! for PDA (impact unknown)
Corporate Protection
* avast! 4 Server Edition(impact high, complete bypass)
* avast! 4 Server Edition Plug-ins
* avast! 4 Exchange Server Edition (impact high, complete bypass)
* avast! 4 ISA Server Edition (impact high, complete bypass)
* avast! 4 SharePoint Server Edition (impact high, complete bypass)
* avast! 4 SMTP Server Edition (impact high, complete bypass)
* avast! 4 Lotus Domino Edition (impact high, complete bypass)
* avast! Distributed Network Manager (impact high, complete bypass)
* avast! 4 Professional (impact unknown)
* avast! 4 BART CD (impact unknown)
* avast! for Linux/Unix Server (impact high, complete bypass)
* avast! for PDA (impact unknown)
* Net.Purum (impact unknown)
OEM
* Copperfasten - Mail Firewall Appliance
* TN North Software - Interner Anywhere eMailServer
* IceWarp Software - Merak Email Server
* SmartMax Software, Inc. - MailMax Server
* NetWin Software - SurgeMail Email Server
* Hexamail Ltd. - Hexamail Guard - Antivirus option
* Bains Digital - Defender MX
Time line
''''''''''
* 14/03/2009 : Send proof of concept, description the terms under which I
cooperate and the planned disclosure date. There is no security adress listed
at [1] and hence took the industry standard security contacts addresses secure@
and security@. secure@xxxxxxxx, secure@xxxxxxxxx, security@xxxxxxxxx
security@xxxxxxxx
No reply.
* 10/04/2009 : Resending specifying this is the last attempt to disclose
reponsibly. This time two known contact adresses that were previously used to
report vulnerabilities were used: secalert@xxxxxxxxx, vlk@xxxxxxxxx
No reply.
* 17/04/2009 : Release of this advisory and begin of grace period.
* 17/04/2009 : Avast replies quoting the mail sent on the 14/03/2009 and
claims that this is a non issue because the POC would not correctly decompress.
* 17/04/2009: Reply that the POC works as expected and asked why there has
been no reaction to previous notifications.
No reply.
* 20/04/2009: Asked for patch timeline and affected version
* 20/04/2009: Avast replies that all versions and all product ranges are
affected, however "There's currently no plan to release a special patch for
this as our risk assessment makes it a very low priority issue."
* 20/04/2009: Replied that Avast can assesses the risk to loose customers
and money; not the entire cumulated risk their customers run in specific
environments.