| ]


This is a living post, that will be updated as I release Advisories.

Updates:

  • 02.01.2020 - Added Initial List of Advisories
  • 09.01.2020 - Added Bitdefender and Kaspersky Advisories
  • 12.01.2020 - Added Bitdefender Advisories
  • 13.02.2020 - Added TZO-011/012 ESET and AVIRA Advisories
  • 14.02.2020 - Added TZO-015 F-Secure Advisory
  • 17.02.2020 - Released TZO-017 Kaspersky
  • 18.02.2020 - Released TZO-018 Bitdefender
  • 20.02.2020 - Released TZO-019 Avira CVE-2020-9320
  • 24.02.2020 - Released TZO-016 F-SECURE CVE-2020-9342
  • 28.02.2020 - Released TZO-023 Avast Generic Bypass
  • 02.03.2020 - Released TZO-020 Quickheal bypass


List of advisories: 

Where can I find more information about this bug class ?
I wrote a post about this bug class in 2009 and in essence, it still holds true. The threat landscape has shifted and so has the technical capabilities : 
https://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html


Why now ?

10 years ago I took a look at ways to evade AV/DLP Engine detection by using various techniques and released a metric ton of Advisories. 10 years later after multiple CISO type roles, I wanted to deep dive again and see how far (or not) the AV  industry has reacted to this class of vulnerabilities. [1,2]

These types of evasions are now actively being used in offensive operations [3]. To my surprise with a few exceptions most AV Vendors haven't appropriately reacted and in some cases I even found the very same vulnerabilities that were patched and disclosed years ago.

Worse than that is the fact that some vendors that were very collaborative in 2008/2009 have now started to ignore submissions (until I threaten disclosure) or are trying to argue that generically evading AV detection is not a vulnerability although they patched and released advisories before. Go figure.

I had a lot of back and forth on this matter, for instance, one vendor argued that this could not be called a vulnerability because it would not impact Integrity,  Availability or Confidentiality. Another Vendor argued that this cannot pose a "risk" to their customers because of XYZ (assumptions).

Well, I am reporting vulnerabilities within products, not risks. Furthermore, the impact on the customer is highly dependant on how the customer contextually uses the product. Something the vendor has rarely any insight into. Trying to calculate the expected loss for a hundred thousand customers is something we shouldn't be doing when handling vulnerability notifications, however, a shocking amount of vendors are unable to understand the difference between a vulnerability and a risk.

Even more bothersome to me is how the bug bounty platforms have created a distorted Reporter/Vendor relationship and mostly are executed to the detriment of the customers. I am collecting my experiences and plan to write a blog post about this phenomenon in the future.

I am hoping that I can finally help to eradicate this bug class and I don't have to come back to this 10 years from now.

[1] Our presentation at Hack.lu and CansecWest entitled "The Death of AV Defence in Depth?"

[2] It didn't go unnoticed - Past Press Coverage: Washington Post, InfoworldHeise, Security Focus ... etc.

[3] https://www.bleepingcomputer.com/news/security/specially-crafted-zip-files-used-to-bypass-secure-email-gateways/https://www.techradar.com/news/zip-files-are-being-used-to-bypass-security-gateways