Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Path-conversion weakness in major AV products reported SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Path-conversion weakness in major AV products reported
Juha-Matti Laurio was kind enough to put together this excellent summary of a potentially sticky vulnerability:

Reportedly "there is a design flaw in the way that NTDLL performs path conversion between DOS style path names and NT syle path names. Although many attack vectors are possible, in this paper [see later] some proof of concept cases are covered". "This issue occurs because the operating system uses multiple differing algorithms to resolve file paths. Attackers may exploit this issue to bypass security software such as antivirus and antispyware products. Other attacks may also be possible.", continues Symantec.

List about the affected products is located at

Some examples about products listed:
Norton AV, Kaspersky AV, AVG AV, Norman AV, Ad-Aware, Spybot Search&Destroy and all Windows versions from NT4.0SP1 to Windows Server 2003 SP1.

A sample .bat file demonstrating this issue was also published at . bat
Note: I deliberately broke this link so that this story will make it through subscribers' mail filters. Remove those spaces around the dot if you wish to retrieve this. - gb

It appears that this issue is based to the following Bugtraq posting:
More details at this PDF document:

- Juha-Matti

We at the ISC have verified this behavior and strongly advise that all Windows users exercise "safe surfing" habits such as verifying attachments before opening, not executing programs unless obtained from a trusted source, etc. Also, you can hasten the update process by staying on top of your A/V vendors support group. A partial list of vulnerable products is contained in the advisory.

25 Posts
May 15th 2006

Sign Up for Free or Log In to start participating in the conversation!