Security researchers have uncovered another serious breach in Kaspersky's Anti-Virus Engine (KAV), while at the same time Computer Associates has warned of a serious unpatched bug in its iGateway software.
The Kaspersky bug, disclosed by iDefense, affects the component of KAV used to parse CHM files. In Linux versions of KAV, a corrupt CHM file can trigger a buffer overflow and allow malicious code execution, with no user interaction required. In Windows installations such a file only disables the virus scanner, but this could allow for further attacks by allowing malicious code to bypass security systems.
KAV is widely used on Linux and Windows in scanners at network gateways and on individual hosts. The engine is widely licensed, but iDefense only confirmed the vulnerability in F-Secure Anti-Virus for Linux 4.50. The bug was also confirmed in Kaspersky Personal 5.0.227 and Kaspersky Anti-Virus On-Demand Scanner for Linux 5.0.5. "All products utilizing the Kaspersky Anti-Virus engine are potentially vulnerable," iDefense said in its advisory.
Disclosure was at least handled in a more organised manner this time. IDefense said it notified Kaspersky of the problem several months ago, and the company says it has addressed the issue via a signature update as of July 2005.
Independent security researcher Secunia gave the flaw a "highly critical" rating.
Last week, a researcher disclosed a similarly serious problem with Kaspersky's CAB scanning mechanism, making the bug public before Kaspersky was able to provide a permanent fix.
Also last week, Symantec made a fix available for a bug in its Web-based Administrative Interface that could allow attackers to execute malicious code on a protected system. This bug was also discovered by iDefense.
Computer Associates said on Monday that a buffer overflow in iGateway could allow attackers to take over a system. The bug is in the way iGateway processes HTTP GET requests when debug mode is enabled, CA said.
The bug is found in versions 3.0 and 4.0 of iGateway. The product is shipped with other products such as BrightStor ARCserve 2000, ARCServe Backup, BrightStor Enterprise Backup and BrightStor Portal, but debug mode isn't enabled by default.
CA didn't publish a fix for the software, but said users could avoid problems by not using debug mode. The French Security Incident Response Team gave the flaw its highest rating, "critical".