Where facts are few, experts are many.

Sample navigation menu:

Home | Objectives | Tools & Research Advisories Blog | Contact |

Advisories

G-SEC™ regularly publishes advisories about vulnerabilities that we discovered during our research. G-SEC™ tries to follow responsible disclosure guidelines whenever possible.

More information »

Advisories

F-Secure - Generic PDF detection bypass

Release mode: Coordinated
Reference : [GSEC-48-2009] - F-Secure generic PDF bypass
Vendor : http://www.f-secure.com
Status : Patched
CVE : none attributed yet
Credit : tba (probably FSC-2009-3)
Discovered by : Thierry Zoller (G-SEC)

Affected products :

• F-Secure Internet Security 2009 and earlier
• F-Secure Anti-Virus 2009 and earlier
• F-Secure Home Server Security 2009
• Solutions based on F-Secure Protection Service for Consumers version 8.00 and earlier
• Solutions based on F-Secure Protection Service for Business - Workstation security version 8.00 and earlier
• Solutions based on F-Secure Protection Service for Business - E-mail and Server security version 8.00 and earlier
• F-Secure Client Security 8.01 and earlier
• F-Secure Anti-Virus for Workstations 8.0 and earlier
• F-Secure Anti-Virus for Windows Servers 8.00 and earlier
• F-Secure Linux Security 7.02 and earlier
• F-Secure Anti-Virus Linux Client Security 5.54 and earlier
• F-Secure Anti-Virus Linux Server Security 5.54 and earlier
• F-Secure Anti-Virus for Linux Servers 4.65
• F-Secure Anti-Virus for Microsoft Exchange 8.00 and earlier
• F-Secure Internet Gatekeeper for Windows 6.61 and earlier
• F-Secure Internet Gatekeeper for Linux 3.02 and earlier
• F-Secure Internet Gatekeeper for Linux Japanese 2.37 and earlier
• F-Secure Anti-Virus for Citrix Servers 7.00 and earlier
• F-Secure Anti-Virus for MIMEsweeper 5.61 and earlier

Affected Plattforms

• Windows
• UNIX
• Linux

I. Background

Quote: "F-Secure offers a broad range of PC and internet security products made for your home or business, so you will always be protected. Our internet security, antivirus
and anti-spyware software is trusted by more than 180 internet service providers around the world. Moreover, with 16 global offices and a presence within more than 100 countries, F-Secure is sure to be there for you and your security software needs."

II. Description

Improper parsing of the PDF structure leads to evasion of detection of malicious PDF documents at scantime and runtime. This has been tested with several malicious PDF files and represents a generic evasion of all PDF signatures and heuristics.

General information about evasion/bypasses can be found at : http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

III. Impact

Known PDF exploits/malware may evade signature detection, 0day exploits may evade heuristics.

V. Disclosure timeline
DD.MM.YYYY

• 15.05.2009 - Reported to F-Secure
• 12.07.2009 - Patches deployed automatically, F-Secure waits to
  coordinate public disclosure
  < waiting for others to patch >
• 27.10.2009 - G-SEC releases this advisory
  
  

Note: All trademarks mentioned herein belong to their respective owners.

© 2009 - 2019 G-SEC™