August 12, 2008
Information-technology Promotion Agency, Japan (IPA, Chairman Koji Nishigaki), has issued the Security Alert for Vulnerability in Virus Security and Virus Security ZERO on August 12, 2008.
This vulnerability allows an attacker to stop the anti-virus software’s virus scanning operation when and after scanning a specially crafted compressed file.
When exploited, the attacker could make the anti-virus software unable to detect viruses and render the computer vulnerable to virus infection.
To fix the problem, update it to the latest version provided by the vendor.
Virus Security and Virus Security ZERO are anti-virus software by SOURCENEXT. Virus Security and Virus Security ZERO are vulnerable to denial of service (DoS) attacks due to a problem in handling compressed files.
When exploited, an attacker could stop the software from scanning for viruses, making it unable to detect viruses as a result, and expose the computer to viruses.
For the latest information, please refer to:
The following creditee reported this vulnerability to IPA on March 11, 2008. JPCERT Coordination Center (JPCERT/CC) coordinated with the product vender and published the vulnerability on August 12, 2008, under Information Security Early Warning Partnership.
Credit: Yuji Ukai of Fourteenforty Research Institute, Inc.
An attacker could stop Virus Security or Virus Security ZERO from scanning for viruses when after scanning a specially crafted compressed file obtained via email, web site, file-exchange program or some other means.
This makes the anti-virus software unable to detect viruses as a result and puts the computer at risk of virus infection.
To fix the problem, update the software to the latest version provided by the vendor.
(CVSS base score)
|CVSS base score||4.3|
|AV:Access Vector||□ Local||□ Adjacent
|AC:Access Complexity||□ High||■ Medium||□ Low|
|Au:Authentication||□ Multiple||□ Single||■ None|
|C:Confidentiality Impact||■ None||□ Partial||□ Complete|
|I:Integrity Impact||■ None||□ Partial||□ Complete|
|A:Availability Impact||□ None||■ Partial||□ Complete|
IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)