| ]



Subscribe to the RSS feed in case you are interested in updates.


Release mode: Coordinated but limited disclosure
Ref         : [TZO-32-2009] - Norman generic evasion (RAR)
Vendor      : http://www.norman.com   
Status      : Patched (with decompression engine version 5.99.07)
CVE         : none provided
Credit      : http://www.norman.com/support/security_bulletins/69333/en
OSVDB vendor entry: Norman is not listed as a vendor in OSVDB
Security notification reaction rating : ok
Notification to patch window : 77 days

Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html

Affected products :
The vulnerabilities have been fixed in Norman's compression library (NCL) 5.99.07, relased on Norman's Internet update servers as an automatic update 03 June 2009.  This solves the vulnerability for all updated Norman's products except for Norman Network Protection

  • Norman Virus Control single user and corporate versions
  • Norman Internet Control
  • Norman Virus Control E-mail plugins
  • Norman Endpoint Protection
  • Norman Secuirty Suite
  • Norman Network Protection
  • Norman Virus Control for Lotus Domino
  • Norman Virus Control for Exchange
  • Norman Virus Control for Linux
  • Norman Email Protection
  • Norman Email Protection Appliance
  • Norman Online Protection
  • Norman Virus Control for AMaViS
  • Norman Virus Control for MIMEsweeper
  • Third party vendors that use the Engine

 OEM vendors known to use the Norman engine :
 - eeye Blink


I. Background
Quote: "Norman ASA is a world leading company within the field of data security, internet protection and analysis tools. Through its SandBox technology Norman offers a unique and proactive protection unlike any other competitor"


II. Description
A general description of the impact and nature of AV Bypasses/evasions can be read at :
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

The bug results in denying the engine the possibility to inspect code within the RAR archive. There is no inspection of the content at all.

III. Impact
The bug results in denying the engine the possibility to inspect code within the RAR archives. There is no inspection of content at all.

A general description of the impact and nature of AV Bypasses/evasions can be read at :  http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html


IV. Disclosure time-line
DD/MM/YYYY
  • 05/03/2009 : Send proof of concept (RAR Size), description the terms under which I cooperate and the planned disclosure date.          
          No reply
  • 13/03/2009 : Re-Send proof of concept (RAR Size), indicating this is the last attempt to responsible disclose.
  • 14/03/2009 : Norman acknowledges receipt

  • 23/03/2009 : Send proof of concept (RAR Method)

  • 23/03/2009 : Asking for an update for the RAR Size sample

  • 02/04/2009 : Norman confirms reproduction of RAR Method PoC and that they will release            the patch a.s.a.p

  • 02/04/2009 : Norman promises to get back with release dates/advisory information as soon as they have some firm dates

  • 06/04/2009 : Norman confirms reproduction of RAR Headflags PoC             20/04/2009 : Norman confirms reproduction of the CAB PoC and that all reported vulnerabilities have been patched internally.

  • 22/04/2009 : Ask for a list of affected versions/products   
    no answer

  • 27/04/2009 : Norman sends in the patched decompression DLL for me to if the patch is correct

  • 28/04/2009 : Send TAR PoC file
          no acknowledgement
  • 07/05/2009 : Ask for an update to all reported bugs
          no reply
  • 08/05/2009 : Inform Norman that as I no longer receive any replies I assume that the patch is deployed and set that the final disclosure date to the 1.06.2009

  • 09/05/2009 : Norman states they probably can't make the 1/06/2009

  • 09/05/2009 : Propose to postpone disclosure upon request
  • 28/05/2009 : Ask for an update as 01.06.2009 still is set             
  • 30/05/2009 : Norman asks to postpone the disclosure by a week as they have to finish Q&A

  • 09/06/2009 : Ask norman whether the Q&A has been finished
  • 09/06/2009 : Norman replies the patches where deployed on the 3rd of June

  • 10/06/2009 : Release of this advisory.