[Pkg-clamav-devel] Bug#526041: Bug#526041: clamav: CVE-2008-5525 malware detection bypass
aCaB
acab at clamav.net
Thu Apr 30 16:10:48 UTC 2009
Michael S. Gilbert wrote:
> The following CVE (Common Vulnerabilities & Exposures) ids were
> published for clamav.
>
> CVE-2008-5525[0]:
> | ClamAV 0.94.1 and possibly 0.93.1, when Internet Explorer 6 or 7 is
> | used, allows remote attackers to bypass detection of malware in an
> | HTML document by placing an MZ header (aka "EXE info") at the
> | beginning, and modifying the filename to have (1) no extension, (2) a
> | .txt extension, or (3) a .jpg extension, as demonstrated by a document
> | containing a CVE-2006-5745 exploit.
Hi,
This is an Internet Explorer issue and has got nothign to do with ClamAV.
In fact clamd/clamscan are file-based scanners and cannot know the
content type returned by the web server nor the original file extension:
ClamAV scans a binary file looking like an MZ executable as an MZ
executable.
If other 3rd party applications choose to render a binary executable
file as HTML, there is nothing ClamAV can do to stop them.
-aCaB
More information about the Pkg-clamav-devel
mailing list