|
Brought to you by:
Suppliers of:
|
|
|
| |
| Improper parsing of the PDF structure leads to evasion of detection of malicious PDF documents at scantime and runtime. |
| |
Credit:
The information has been provided by Thierry Zoller.
The original article can be found at: http://www.g-sec.lu/mcafee-pdf-bypass.html
|
| |
Vulnerable Systems:
* - McAfee GroupShield
* McAfee LinuxShield
* McAfee NetShield for NetWare
* McAfee PortalShield
* McAfee Total Protection Service (SaaS)
* McAfee Virex
* McAfee Total Protection 2009
* McAfee Internet Security
* McAfee VirusScan USB
* McAfee VirusScan Enterprise
* McAfee VirusScan Enterprise Linux
* McAfee VirusScan Enterprise for SAP
* McAfee VirusScan Enterprise for Storage
* McAfee VirusScan Commandline
* Mcafee SecurityShield for Microsoft ISA Server
* Mcafee Security for Microsoft Sharepoint
* Mcafee Security for Email Servers
* McAfee Email Gateyway
* McAfee Total Protection for Endpoint
* McAfee Active Virus Defense
* McAfee Active VirusScan
Known PDF exploits/malware may evade signature detection, 0day exploits may evade heuristics.
Patch Availability:
Patches dsitributed through automatic updates
This has been tested with several malicious PDF files and represents a generic evasion of all PDF signatures and heuristics. General information about evasion/bypasses can be found at :
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html
Disclosure Timeline:
01.06.2009 - Reported
20.10.2009 - McAfee informed us that they published the advisory on their website < waiting for others vendors to patch >
27.10.2009 - G-SEC releases this advisory
|
|
|
|
|
