No, I'm not talking about the risks to dangly bits from reckless re-trousering.
At Blackhat Europe in Barcelona today, Mario Vuksan, Tomislav Pericin and Brian Karney have been talking, apparently to a packed house, about vulnerabilities they've found in various compression formats (ZIP, RAR, 7ZIP, CAB and GZIP), as well as their potential for steganographical use or misuse. I don't know yet what vulnerabilities they've found, as they're giving the vendors concerned the opportunity to fix them before going public.
Certainly, there have been many previous attempts to slip malware past antivirus software as a compressed attachment. In the early noughties, I earned the enmity of about 1 1/4 million people in the UK's National Health Service when I put a temporary block on ZIP files at a time when encrypted ZIPs were being heavily used by malware distributors to get past gateway AV and filters. It would, of course, have been much better to restrict blocking to encrypted ZIPs, but the service providers used at that time refused to implement filters to enable that, even though the programming required would have been minimal. Fortunately, most of that malware would be caught on execution by up-to-date signatures or heuristics, but we weren't able to assume that end-sites were properly protected in that environment, since their choice of product and configuration was not centrally regulated.
It will be interesting to see if Mario and company are talking about something more difficult to detect at the endpoint and/or easier to execute unknowingly. If not, the main problems here will not be technical vulnerabilities but careless users and social engineering attacks. But isn't that usually the case?
David Harley CISSP FBCS CITP
Research Fellow & Director of Malware Intelligence
ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter:
ESET White Papers Page: http://www.eset.com/download/whitepapers.php
Securing Our eCity community initiative: http://www.securingourecity.org/
Also blogging at: