Introduction :

Firefox has long been considered Spyware hardened and spyware safe, it never really was. Don't get me wrong on this, it's not the fault of Firefox (although it could be a bit better protected against this particular attack). I made a small movie demonstrating this particular Proof of Concept.

Update: A bit of clarification what this fuzz is all about, as you see in the small animation, the Extension installs without any user interaction. That should be quite new, Firefox tries to block silent installs though random profile directory names and various other tricks. The adbar sends any URL you visit to a google syndication server thus monitoring your surf behaviour.

Update : The animation takes some time to load, wait for it.

Details :

Click on the image above.

This summary is not available. Please click here to view the post.

Introduction :
Flaws in the way F-Secure software handles ZIP and RAR data compression archives could allow an attacker to execute remote code on users' systems and also to bypass F-Secure's antivirus-scanning capabilities.

Details :
I found mutliple vulnerabilities within various AV Engines, F-Secure are the first to actually publish a real advisory, others fixed the bugs silently or put a small notice in a change_log. I will however not publish more details about the findings as of yet, there are too many AV engines vulnerable to similar issues and I am going to wait until most of them have patched the flaws until I exactly dislclose my findings.
http://www.f-secure.com/security/fsc-2006-1.shtml

Rain Forest Puppy once defined a "Responsible Disclosure Practice", I adhere to it.

[Update]
The Story has been posted on SecurityFocus, News.com, Washington Post, Heise, Suedeutsche, ZDnet, Computerworld, and various others. Special Thanks to Mikko for giving me Credit.

Introduction :
"ZangoCash (formerly LOUDcash) is recognized around the world as one of the best pay-per-install affiliate programs on the Internet. ZangoCash is a subsidiary of 180solutions which also includes Zango and MetricsDirect . Every day, 7,500-10,000 ZangoCash affiliates distribute our software to users who are then connected with more than 6,000 MetricsDirect advertisers."

Details :

After the acknowledgement of an License Agreement, during Startup, the bundled EXE contacts several servers and downloads the required Adware components. The downloaded components are not checked for integrity or authenticity and are executed as soon as they are downloaded.

The Following procedures are exploitable :

1. Initial Install
2. Auto-Update function

The condition is exploitable in the following scenarios :

1. You have legitimate control over the DNS server
2. You have compromised a DNS server
3. You forge a cache poisoning attack against a vulnerable DNS server
4. You have access to the machine and change the HOST file

Redirecting static.zangocash.com to an IP address under your Control and creating the respective V-host allows you to install any type of executable on the machine where zango is being installed or currently is installed.

Release mode: Forced release, vendor has not replied.
Ref : TZO-112009 - Fortinet Generic Evasion
Vendor : http://www.fortinet.com
Security notification reaction rating : Catastrophic

Disclosure Policy :
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html


Affected products :
- t.b.a (Vendor has not reacted, please see below)

As this bug has not been reproduced by the vendor, this limited advisory relies on the assumption that my tests were conclusive and that the test environment mimics the production environment.

I. Background

Quote: "Fortinet is a leading provider of network security appliances and the leader of the unified threat management (UTM) market worldwide. Fortinet's award-winning portfolio of security gateways, subscription services, and complementary products delivers the highest level of network, content, and application security for enterprises of all sizes, managed service providers, and telecommunications carriers, while reducing total cost of ownership and providing a flexible, scalable path for expansion. "

II. Description
The parsing engine can be bypassed by a specially crafted and formatted archive file. Details are currently witheld due to other vendors that are in process of deploying patches.

A professional reaction to a vulnerability notification is a way to measure the maturity of a vendor in terms of security. Fortinet is given a grace period of two (2) weeks to reply to my notification. Failure to do so will result in POC being released in two (2) weeks.

Fortinet (as well as others) is advised to leave a specific security contact at [1] in order to simplify getting in contact with them.

As this bug has not been reproduced by the vendor, this limited advisory relies on the assumption that my tests were conclusive.

III. Impact
A general description of the impact and nature of AV Bypasses/evasions can be read at :http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

The bug results in denying the engine the possibility to inspect code within the archive. There is no inspection of the content at all.


IV. Disclosure time line

• 09/03/2009 Send proof of concept, description the terms under which I cooperate and the planned disclosure date. There is no security adress listed at [1] and hence took the industry standard security contacts addresses secure@ and security@.
  
  No reply.

• 14/03/2009 : Resending specifying this is the last attempt to disclose responsibly.
  
  No reply.

• 15/04/2009 : Fortinet published advisories for third party vendors with the address dontreply-secresearch@fortinet.com, used secresearch@fortinet.com to resend advisory.
  
  No reply.

• 17/04/2009 : Last attempt to contact, information sent to info@foritnet.com
  
  No reply, as of time of publishing

• 17/04/2009 : Release of this advisory and begin of grace period.
  
  
• 17/04/2009 : Fortinet replied instantly, investigation on going

[1] http://osvdb.org/vendor/1/Fortinet%20Inc_