[VIM] Is it a virus variant or an AV product vuln?

Steven M. Christey coley at linus.mitre.org
Wed Nov 9 03:58:43 EST 2005

I treated these as vulns in CVE because they deal with specific
manipulations of inputs that would seem to make for an invalid executable,
but do not when they are dealt with on the end system.  Intermediaries
like proxies, firewalls, etc. have special requirements: they have to be
aware of how the end systems handle the data that flows through the
intermediaries.  Because of their roles as protectors, they should be held
to a higher standard than "normal" products.

I recently did a Bugtraq post on "interpretation conflicts," which the
magic byte issue falls under.  In CVE, I've included other AV-bypassing
techniques e.g. malformed ZIP files that can still be processed by some
programs.  Maybe intermediaries shouldn't be "blamed" for non-standard
behaviors on end systems, but the interaction is of significant note
because it bypasses a protection mechanism.  Probably a slippery-slope
area but there it is.

- Steve

On Wed, 9 Nov 2005, Williams, James K wrote:

> This issue refuses to die.  What is your opinion - virus variant or
> vuln?  And why?
> The two links below are for the two main threads on FD.
> Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability
> through forged magic byte
> http://marc.theaimsgroup.com/?l=full-disclosure&m=113020970919228&w=2
> http://marc.theaimsgroup.com/?l=full-disclosure&m=113040021629991&w=2
> Regards,
> ken

More information about the VIM mailing list