Release mode: Coordinated but limited disclosure.
Ref : [TZO-23-2009] - Bitdefender generic PDF evasion (heuristics)
Vendor : http://www.bitdefender.com
Status : Patched (with sig update after 13.05.2009)
CVE : none provided
Credit : none
OSVDB vendor entry: none [1]
Security notification reaction rating : good
Notification to patch window : 5 days

Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html

Affected products :
  • Bitdefender Antivirus 2009
  • Bitdefender Internet Security 2009
  • Bitdefender Total Security 2009
  • Bitdefender Small Office Security
  • Bitdefender for Fileservers
  • Bitdefender for Samba
  • Bitdefender for Sharepoint
  • Bitdefender Security for Exchange
  • Bitdefender Security for Mailservers
  • Bitdefender for ISA Servers
  • Bitdefender Client security

Bundles:
  • BitDefender Business Security
  • Bitdefender Antivirus for Unices
  • Bitdefender Corporate Security
  • Bitdefender SBS Security

I. Background

Quote: "BitDefender™ provides security solutions to satisfy the protection requirements of today's computing environment, delivering effective threat management for over 41 million home and corporate users in more than 100 countries. BitDefender, a division of SOFTWIN, is headquartered in Bucharest, Romania and has offices in Tettnang, Germany, Barcelona, United Kingdom, Denmark, Spain and Fort Lauderdale (FL), USA."


II. Description

The heuristics can be bypassed by a special formated PDF "container", this leads to the bypass of malicious PDF files, old or new. This is not a bypass that relies on archive structures but relies on evading certaincode paths in the av engine "through various means".


III. Impact

To know more about the impact and type of "evasion", I updated the description at http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

Interestingly this opens the possibilty to evade at scan time andrun-time.


IV. Disclosure timeline

DD/MM/YYYY
  • 08/05/2009 : Send proof of concept, description the terms under which I cooperate and the planned disclosure date.
  • 13/05/2009 : Bitdefender notifies my that the patch was deployed.

[1]
Bitdefender is encouraged to leave their security contact details at
http://osvdb.org/vendor/1/SOFTWIN to facilate communication and reduce lost reports.

0 comments

Post a Comment