Last Updated: 2006-05-15 23:39:57 UTC
by George Bakos (Version: 1)
Reportedly "there is a design flaw in the way that NTDLL performs path conversion between DOS style path names and NT syle path names. Although many attack vectors are possible, in this paper [see later] some proof of concept cases are covered". "This issue occurs because the operating system uses multiple differing algorithms to resolve file paths. Attackers may exploit this issue to bypass security software such as antivirus and antispyware products. Other attacks may also be possible.", continues Symantec.
List about the affected products is located at
Some examples about products listed:
Norton AV, Kaspersky AV, AVG AV, Norman AV, Ad-Aware, Spybot Search&Destroy and all Windows versions from NT4.0SP1 to Windows Server 2003 SP1.
A sample .bat file demonstrating this issue was also published at
http://www.securityfocus.com/data/vulnerabilities/exploits/17934 . bat
Note: I deliberately broke this link so that this story will make it through subscribers' mail filters. Remove those spaces around the dot if you wish to retrieve this. - gb
It appears that this issue is based to the following Bugtraq posting:
More details at this 48Bits.com PDF document:
We at the ISC have verified this behavior and strongly advise that all Windows users exercise "safe surfing" habits such as verifying attachments before opening, not executing programs unless obtained from a trusted source, etc. Also, you can hasten the update process by staying on top of your A/V vendors support group. A partial list of vulnerable products is contained in the advisory.