Addendum :[TZO-09-2009] Avast bypass / evasion (Limited details)

[Thierry Zoller <Thierry () Zoller lu>]

URL:
http://blog.zoller.lu/2009/04/release-mode-forced-release-vendor-has.html

Update : After the reaction from avast, it is now clear that all versions
and  products  are  affected,  however  there is no plan to patch, the
patch will come or will not come - sometime in the future.

You are encouraged to read the time line and draw your own conclusions.

Desktop Protection

    * avast! 4 Professional (impact low, reason real-time protection)
    * avast! 4 Home Edition (impact low, reason real-time protection)
    * avast! Pro Family pack (impact low, reason real-time protection)
    * avast! WHS Edition (impact low, reason real-time protection)
    * avast! Mac Edition (impact unknown)
    * avast! Linux Home Edition (impact unknown)
    * avast! U3 Edition (impact unknown)
    * avast! 4 BART CD (impact unknown)
    * avast! for PDA (impact unknown)

Corporate Protection

    * avast! 4 Server Edition(impact high, complete bypass)
    * avast! 4 Server Edition Plug-ins
    * avast! 4 Exchange Server Edition (impact high, complete bypass)
    * avast! 4 ISA Server Edition (impact high, complete bypass)
    * avast! 4 SharePoint Server Edition (impact high, complete bypass)
    * avast! 4 SMTP Server Edition (impact high, complete bypass)
    * avast! 4 Lotus Domino Edition (impact high, complete bypass)
    * avast! Distributed Network Manager (impact high, complete bypass)
    * avast! 4 Professional (impact unknown)
    * avast! 4 BART CD (impact unknown)
    * avast! for Linux/Unix Server (impact high, complete bypass)
    * avast! for PDA (impact unknown)
    * Net.Purum (impact unknown)

OEM

    * Copperfasten - Mail Firewall Appliance
    * TN North Software - Interner Anywhere eMailServer
    * IceWarp Software - Merak Email Server
    * SmartMax Software, Inc. - MailMax Server
    * NetWin Software - SurgeMail Email Server
    * Hexamail Ltd. - Hexamail Guard - Antivirus option
    * Bains Digital - Defender MX


Time line
''''''''''
    * 14/03/2009 : Send proof of concept, description the terms under which I cooperate and the planned disclosure 
date. There is no security adress listed at [1] and hence took the industry standard security contacts addresses 
secure@ and security@. secure () avast de, secure () alwil com, security () alwil com security () avast de

      No reply.

    * 10/04/2009 : Resending specifying this is the last attempt to disclose reponsibly. This time two known contact 
adresses that were previously used to report vulnerabilities were used: secalert () avast com, vlk () avast com

      No reply.

    * 17/04/2009 : Release of this advisory and begin of grace period.

    * 17/04/2009 : Avast replies quoting the mail sent on the 14/03/2009 and claims that this is a non issue because 
the POC would not correctly decompress.

    * 17/04/2009: Reply that the POC works as expected and asked why there has been no reaction to previous 
notifications.

      No reply.

    * 20/04/2009: Asked for patch timeline and affected version

    * 20/04/2009: Avast replies that all versions and all product ranges are affected, however "There's currently no 
plan to release a special patch for this as our risk assessment makes it a very low priority issue."

    * 20/04/2009: Replied that Avast can assesses the risk to loose customers and money; not the entire cumulated risk 
their customers run in specific environments.