Advisories
Symantec - Generic PDF detection bypass
Release mode: Coordinated
Reference : [GSEC-47-2009] - Symantec generic PDF bypass
Vendor : http://www.symantec.com
Status : Patched
CVE : none attributed yet
Credit : http://tinyurl.com/ygqnlhs
Discovered by : Thierry Zoller (G-SEC)
Affected products :
- Symantec Mail Security for Domino
- Symantec Mail Security for Microsoft Exchange
- Symantec Mail Security for SMTP
- Symantec Brightmail Gateway
- Symantec AntiVirus for Network Attached Storage
- Symantec AntiVirus for Caching
- Symantec AntiVirus for Messaging
- Symantec Protection for SharePoint Servers
- Symantec Protection Suite
- Symantec Scan Engine
- Symantec Client Security
- Symantec Endpoint Protection
- Symantec AntiVirus Corporate Edition
- Norton Internet Security Norton 360
- Norton AntiVirus
- Norton Systemworks
I. Background
Quote: "Symantec helps consumers and organizations secure and
manage their information-driven world. Our software and services
protect against more risks at more points, more completely and
efficiently, enabling confidence wherever information is used or stored."
II. Description
Improper parsing of the PDF structure leads to evasion of detection of malicious PDF documents at scantime and runtime. This has been tested with several malicious PDF files and represents a generic evasion of all PDF signatures and heuristics.
General information about evasion/bypasses can be found at :
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html
III. Impact
Known PDF exploits/malware may evade signature detection, 0day exploits
may evade heuristics.
V. Disclosure timeline
DD.MM.YYYY
- 01.06.2009 - Reported
- 12.06.2009 - "This will be posted to our Symantec Product Security Advisory page
though we are not identifying these issues as vulnerabilities, it's just
the best method to disseminate this type of product information"
< waiting for others to patch > - 27.10.2009 - Published this advisory
Note: All trademarks mentioned herein belong to their respective owners.