A mysterious security research group is reporting that they have found several serious vulnerabilities in the ClamAV open source antivirus program.
According to the advisory, the vulnerabilities are heap overflows in the processing of certain file formats, specifically TNEF, CHM and FSG. Because of the nature of the server, which is typically used to scan incoming e-mail and files attached to it, the vulnerabilities may be invoked simply by sending e-mail with malformed attachments to an address on a vulnerable server. The advisory claims that version 0.86.1 and earlier are affected. On Sunday ClamAV released 0.86.2, which fixes the problems.
ClamAV is available for Unix and Linux broadly, and included in many Linux distributions, including Suse and Debian.
Many security-service packages, such as Roaring Penguins and appliances, such as those from Barracuda Networks, are built on ClamAVs software.
According to Apple, Mac OS X Server 10.4 includes ClamAV as well. The fixes distributed by ClamAV may not yet be available for these distributions.
The research group rem0te.com lists several other past vulnerabilities in other antivirus products and also a “SOPHOS ANTIVIRUS LIBRARY REMØTE HEAP OVERFLOW” which is password-protected and dated “08.??.2005”. Rem0te.com did not respond to an e-mail request for information in time for publication. The researchers credited with discovering the problems, Alex Wheeler and Neel Mehta, gave a presentation at BlackHat Europe earlier this year on compromising antivirus programs.
