=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2006/VULN362
_____________________________________________________________________

DATE                      : 29/06/2006

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Windows running F-Secure Anti-Virus.

======================================================================

F-Secure Security Bulletin FSC-2006-4
Scanning bypass vulnerability in antivirus products for Windows

Date issued          2006-06-28
Last updated         2006-06-28
Risk factor          High (Low/Medium/High/Critical)

Brief description    Antivirus products for Windows client and server systems
                      fail to detect malware under certain circumstances.
                      Failures of this kind may lead to malware infections on
                      protected systems. Linux, Mobile and Windows-based gateway
                      products are not affected by the vulnerability.

Software             F-Secure Anti-Virus client and server products for the Windows
                      operating system

Affected versions    F-Secure Anti-Virus 2003 - 2006
                      F-Secure Internet Security 2003 - 2006
                      F-Secure Service Platform for Service Providers 6.xx and 
earlier
                      F-Secure Anti-Virus for Workstations version 5.44 and earlier
                      F-Secure Anti-Virus Client Security version 6.01 and earlier
                      F-Secure Anti-Virus for Windows Servers version 5.52 and 
earlier
                      F-Secure Anti-Virus for Citrix Servers version 5.50 - 5.52
                      F-Secure Anti-Virus for MIMEsweeper version 5.61 and earlier
                      Note: Earlier versions of F-Secure Service Platform for
                      Service Providers are known as F-Secure Personal Express

Affected platforms   Windows NT 4.0, Windows 2000, Windows XP and Windows Server 
2003
                      Some of the affected product versions support other
                      platforms than those mentioned above. Installations on
                      such platforms are not affected by the vulnerability.

Bulletin location    http://www.f-secure.com/security/fsc-2006-4.shtml


Issue:

	The advisory and issued hotfixes address two separate scenarios that
	both can lead to malware bypass.

	1. The name of an executable program has been modified in a certain
	   way. This leads to scanning failure despite the fact that it may
	   be possible to execute the file.
	2. The product fails to scan files on removable media. This occurs
	   only in certain configurations where the Scan network drives option
	   has been disabled.

	Both scenarios may lead to system infection as the real-time scanner
	may grant permission to execute program files even if they are
	infected.The vulnerability cannot, to F-Secure's knowledge, be used for
	privilege escalation attacks or to gain remote access to affected systems.


Products:

	F-Secure Anti-Virus 2003 - 2006
	F-Secure Internet Security 2003 - 2006
	F-Secure Service Platform for Service Providers 6.xx and earlier
	Co-branded service provider concepts based on one of the above products

	Note: Earlier versions of F-Secure Service Platform for Service Providers
	are known as F-Secure Personal Express

Risk Factor:     Medium

	These systems are affected by the vulnerability but the needed hotfixes
	are distributed automatically to all the affected systems. Users do
	not need to take any actions.


Products:

	F-Secure Anti-Virus for MIMEsweeper version 5.61 and earlier

Risk Factor:     Medium

	These systems are affected by the vulnerability but their main task
	is typically to filter mail traffic. The vulnerability only affects
	local use of the computer and the risk for infection is thus
	significantly lower.

	F-Secure recommends that administrators of systems in this category
	apply the needed hotfix or upgrade to a version that is not affected,
	if available.


Products:

	All other affected products

Risk Factor:     High

	All these products are typically used on systems where programs are
	executed both from the hard drive and removable media.

	F-Secure recommends that administrators of systems in this category
	apply the needed hotfix or upgrade to a version that is not affected,
	if available.


Mitigating Factors:

	* Products for home users and service provider concepts use automatic
	  hotfix distribution and will be patched without user actions.
	* The ability to execute program files with modified names is decreased.
	  Some of the methods that normally can be used to launch a program
	  fail with files modified in this way.
	* The scanning failure on removable media only occurs if the Scan
	  network drives option has been turned off.
	* Linux, Mobile and Windows-based gateway products are not affected by the 
vulnerability.
	* The vulnerability only affects some of the platforms that the affected 
products support.


Patch and upgrade availability:

Product                     Versions    Hotfix ID    Download

F-Secure Anti-Virus            -        Hotfix distributed automatically, no 
user actions needed.
2003 - 2006

F-Secure Internet Security     -        Hotfix distributed automatically, no 
user actions needed.
2003 - 2006

F-Secure Personal Express    5.xx and   Hotfix distributed automatically, no 
user actions needed.
                              earlier

F-Secure Internet Security   6.xx       Hotfix distributed automatically, no 
user actions needed.
for Service Providers

F-Secure Anti-Virus        5.42 - 5.44  Hotfix fsavwk620-02:
for Workstations 
ftp://ftp.f-secure.com/support/hotfix/fsavcs/fsavwk620-02-signed.fsfix
                                         Or upgrade with remote installation 
package 5.44 build 12250
 
ftp://ftp.f-secure.com/support/hotfix/fsav/fsav_5.44-wks-12250-signed.jar

F-Secure Anti-Virus        5.54 - 6.01  Hotfix fsavwk620-02:
Client Security version 
ftp://ftp.f-secure.com/support/hotfix/fsavcs/fsavwk620-02-signed.fsfix
                                         Or upgrade with remote installation 
package 5.55SR3, 5.58 or 6.02
 
ftp://ftp.f-secure.com/support/hotfix/fsavcs/fsavcs_5.55-SR3-12251-signed.jar
 
ftp://ftp.f-secure.com/support/hotfix/fsavcs/fsavcs_5.58-12250-signed.jar
 
ftp://ftp.f-secure.com/support/hotfix/fsavcs/fsavcs_6.02-12250-signed.jar

F-Secure Anti-Virus        5.50 - 5.52  Hotfix fsavsr552-05
for Windows Servers 
ftp://ftp.f-secure.com/support/hotfix/fsav-server/fsavsr552-05-signed.fsfix
                                         Or upgrade with remote installation 
package 5.52 build 12250
 
ftp://ftp.f-secure.com/support/hotfix/fsav-server/fsav_5.52-srv-12250-signed.jar

F-Secure Anti-Virus        5.50 - 5.52  Hotfix fsavsr552-05:
for Citrix Servers 
ftp://ftp.f-secure.com/support/hotfix/fsav-server/fsavsr552-05-signed.fsfix

F-Secure Anti-Virus           5.61      Hotfix fsavsr552-05:
for MIMEsweeper 
ftp://ftp.f-secure.com/support/hotfix/fsav-server/fsavsr552-05-signed.fsfix


Revision History:      FSC-2006-4 - 2006-06-28

Contact Information:   Support: 
http://support.f-secure.com/enu/corporate/contactus/
                        Security: http://www.f-secure.com/security/
                        URL:      http://www.f-secure.com/


______________________________________________________________________________

======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================