Update: The information displayed on Aladdin blog post is erroneous, the end-user is able to extract the file. Still working with Aladdin on the issue
Release mode: Forced release, vendor has not replied.
Disclosure Policy :
Affected products :
- t.b.a (Vendor has not reacted, please see below)
- probably all versions including gateway solutions
As this bug has not been reproduced by the vendor, this limited advisory relies on the assumption that my tests were conclusive and that the test environment mimics the production environment.
Quote: "Aladdin is dedicated to being the leading provider of security services and solutions used to protect digital assets, enable secure business, and maximize the benefits from creating, selling, distributing and using digital content."
The parsing engine can be bypassed by a specially crafted and formatted archive file. Details are currently withheld due to other vendors that are in process of deploying patches.
Aladdin is advised to leave a specific security contact at  in order to simplify getting in contact with them.
As this bug has not been reproduced by the vendor, this limited advisory relies on the assumption that my tests were conclusive.
A general description of the impact and nature of AV Bypasses/evasions can be read at : http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html
The bug results in denying the engine the possibility to inspect code within the archive. There is no inspection of the content at all.
IV. Disclosure timeline
- 04/04/2009 : Send proof of concept, description the terms under which I cooperate and the planned disclosure date. There is no security adress listed at  and hence took previously known security contacts that are known to exist.
- 13/04/2009 : Resending. Copied firstname.lastname@example.org, email@example.com firstname.lastname@example.org, email@example.com,firstname.lastname@example.org, email@example.com in CC.
- 16/04/2009 : Resending specifying this is the last attempt to disclose reponsibly.
- 18/04/2009 : Online virus scan service offered to bridge the gap between AV vendors that don't reply and myself. Aladdin was contacted through this third party.
- 19/04/2009 : Aladdin visited the blog entry that explains the bypasses and impacts. http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html
- 27/04/2009 : Release of this limited advisory and begin of grace period.
- 27/04/2009 : Aladdin got in contact and are already working on the issue