Date: 21 December 2006
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2006.0939 -- [Win]
NOD32 Antivirus DOC parsing Arbitrary Code Execution Advisory
21 December 2006
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: ESET NOD32 Antivirus
Publisher: n.runs AG
Operating System: Windows
Impact: Execute Arbitrary Code/Commands
Access: Remote/Unauthenticated
Comment: According to the update information for "NOD32 - v.1.1743
(20061215)" at http://eset.com/support/updates.php. A patch for
this vulnerability has been deployed automatically.
- --------------------------BEGIN INCLUDED TEXT--------------------
n.runs AG
http://www.nruns.com/ security at nruns.com
n.runs-SA-2006.004 20-Dec-2006
________________________________________________________________________
Vendor: ESET, http://eset.com
Affected Products: ESET NOD32 Antivirus
Vulnerability: Arbitrary Code Execution (remote)
Risk: HIGH
________________________________________________________________________
Vendor communication:
2006/08/24 initial notification of ESET
2006/08/28 ESET Response
2006/08/29 PGP keys exchange
2006/08/29 PoC files sent to ESET
2006/09/06 ESET initial feedback.
2006/09/08 ESET confirmed the bug and fixed
2006/09/08 ESET made available the updates
________________________________________________________________________
Overview:
Founded in 1992, ESET is a global provider of security software for
enterprises and consumers. ESET's award-winning, antivirus software system,
NOD32, provides real-time protection from known and unknown viruses,
spyware, rootkits and other malware. NOD32 offers the smallest, fastest and
most advanced protection available, with more Virus Bulletin 100% Awards
than any other antivirus product. ESET was named to Deloitte's Technology
Fast 500 five years running, and has an extensive partner network, including
corporations like Canon, Dell and Microsoft. ESET has offices in Bratislava,
SK; Bristol, U.K.; Buenos Aires, AR; Prague, CZ; San Diego, USA; and is
represented worldwide in more than 100 countries.
The broad product platform protects Windows, Linux, Novell and MS DOS
machines.
Description:
Multiple vulnerabilities have been found in the file parsing engine.
In detail, the following flaw was determined:
- - Divide by Zero in .CHM file parsing.
- - Heap Overflow through Integer Overflow in .DOC File Parsing
The .DOC problem can lead to remote arbitrary code execution if an attacker
carefully crafts a file that exploits the aforementioned vulnerabilities.
The vulnerabilities are present in NOD32 Antivirus software versions prior
to the update v.1.1743.
Solution:
The vulnerabilities were reported on Aug 24 and an update has been issued on
Sep 08 to solve these vulnerabilities through the regular update mechanism.
________________________________________________________________________
Credit:
Bugs found by Sergio Alvarez of n.runs AG.
________________________________________________________________________
References:
http://eset.com/support/updates.php?pageno=61 (NOD32 - v.1.1743)
________________________________________________________________________
The information provided is released by n.runs "as is" without warranty of
any kind. n.runs except all warranties, either express or implied, expect
for the warranties of merchantability. In no event shall n.runs be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if n.runs
has been advised of the possibility of such damages.
Distribution or Reproduction of the information is provided that the
advisory is not modified in any way.
Copyright 2006 n.runs. All rights reserved. Terms of use.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBRYoq4yh9+71yA2DNAQL49gQAmm7E5r9ODcvN+SdbG11objCxj7T3tb7z
MO8fToBqrPnb9+HGubtBWfjWolHqKhIPQj7VKpc7cbxU19Z8+uA0jUFRDaFUuy6T
RAnVGiSRas/bqdK4AZb5PEHccnwclCAAY5CezUuoJ8ZP2HdzEwVRLbkzf3LXKrTI
ce7V2scbX6E=
=xtXm
-----END PGP SIGNATURE-----
|