Release mode: Coordinated but limited disclosure.
Ref : [TZO-23-2009] - Bitdefender generic PDF evasion (heuristics)
Vendor : http://www.bitdefender.com
Status : Patched (with sig update after 13.05.2009)
CVE : none provided
Credit : none
OSVDB vendor entry: none 
Security notification reaction rating : good
Notification to patch window : 5 days
Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html
Affected products :
- Bitdefender Antivirus 2009
- Bitdefender Internet Security 2009
- Bitdefender Total Security 2009
- Bitdefender Small Office Security
- Bitdefender for Fileservers
- Bitdefender for Samba
- Bitdefender for Sharepoint
- Bitdefender Security for Exchange
- Bitdefender Security for Mailservers
- Bitdefender for ISA Servers
- Bitdefender Client security
- BitDefender Business Security
- Bitdefender Antivirus for Unices
- Bitdefender Corporate Security
- Bitdefender SBS Security
Quote: "BitDefender™ provides security solutions to satisfy the protection requirements of today's computing environment, delivering effective threat management for over 41 million home and corporate users in more than 100 countries. BitDefender, a division of SOFTWIN, is headquartered in Bucharest, Romania and has offices in Tettnang, Germany, Barcelona, United Kingdom, Denmark, Spain and Fort Lauderdale (FL), USA."
The heuristics can be bypassed by a special formated PDF "container", this leads to the bypass of malicious PDF files, old or new. This is not a bypass that relies on archive structures but relies on evading certaincode paths in the av engine "through various means".
To know more about the impact and type of "evasion", I updated the description at http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html
Interestingly this opens the possibilty to evade at scan time andrun-time.
IV. Disclosure timeline
- 08/05/2009 : Send proof of concept, description the terms under which I cooperate and the planned disclosure date.
- 13/05/2009 : Bitdefender notifies my that the patch was deployed.
Bitdefender is encouraged to leave their security contact details at
http://osvdb.org/vendor/1/SOFTWIN to facilate communication and reduce lost reports.