F-SECURE - Generic PDF detection bypass

                                                ________________________________________________________________________

          F-SECURE multiple products - Generic PDF detection bypass
________________________________________________________________________

***********************************************************************
Cheap plug :
If you are interested in client-side vulnerabilities visit HACK.LU 
starting tomorrow [28-30 Oct] with :

Workshop:
* Bypassing the Perimeter: Client Side Exploitation - Nitesh Dhanjani,
                                                      Billy K Rios
Talks :
* New advances in Office Malware analysis - Frank Boldewin
* PDF Penetration Document Format - Didier Stevens
* Ownage 2.0 - Saumil Shah (who else)
* Malicious PDF origamis strike back - Guillaume Delugré
                                       Frederic Raynal
***********************************************************************

Release mode  : Coordinated
Reference     : [GSEC-48-2009] - F-Secure generic PDF bypass
WWW           : http://www.g-sec.lu/fsecure-pdf-bypass.html
Vendor        : http://www.f-secure.com
Status        : Patched
CVE           : none attributed yet
Credit        : tba (probably FSC-2009-3)
Discovered by : Thierry Zoller (G-SEC)


Affected products : 
~~~~~~~~~~~~~~~~~~~
- F-Secure Internet Security 2009 and earlier
- F-Secure Anti-Virus 2009 and earlier
- F-Secure Home Server Security 2009
- Solutions based on F-Secure Protection Service for Consumers version 8.00 and \
                earlier
- Solutions based on F-Secure Protection Service for Business -  Workstation security \
                version 8.00 and earlier
- Solutions based on F-Secure Protection Service for Business -  E-mail and Server \
                security version 8.00 and earlier
- F-Secure Client Security 8.01 and earlier
- F-Secure Anti-Virus for Workstations 8.0 and earlier
- F-Secure Anti-Virus for Windows Servers 8.00 and earlier
- F-Secure Linux Security 7.02 and earlier
- F-Secure Anti-Virus Linux Client Security 5.54 and earlier
- F-Secure Anti-Virus Linux Server Security 5.54 and earlier
- F-Secure Anti-Virus for Linux Servers 4.65
- F-Secure Anti-Virus for Microsoft Exchange 8.00 and earlier
- F-Secure Internet Gatekeeper for Windows 6.61 and earlier
- F-Secure Internet Gatekeeper for Linux 3.02 and earlier
- F-Secure Internet Gatekeeper for Linux Japanese 2.37 and earlier
- F-Secure Anti-Virus for Citrix Servers 7.00 and earlier
- F-Secure Anti-Virus for MIMEsweeper 5.61 and earlier


Patch availability :
~~~~~~~~~~~~~~~~~~~~
Patches distributed through automatic updates

I. Background
~~~~~~~~~~~~~
Quote: "F-Secure offers a broad range of PC and internet security 
products made for your home or business, so you will 
always be protected. Our internet security, antivirus 
and anti-spyware software is trusted by more than 180
internet service providers around the world. Moreover, 
with 16 global offices and a presence within more than 
100 countries, F-Secure is sure to be there for you and
your security software needs."

II. Description
~~~~~~~~~~~~~~~
Improper parsing of the PDF structure leads to evasion of detection of 
malicious PDF documents at scantime and runtime.
  
This has been tested with several malicious PDF files and represents
a generic evasion of all PDF signatures and heuristics.

General information about evasion/bypasses can be found at :
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

III. Impact
~~~~~~~~~~~
Known PDF exploits/malware may evade signature detection, 0day exploits
may evade heuristics.


IV. Disclosure timeline
~~~~~~~~~~~~~~~~~~~~~~~~~
DD.MM.YYYY
15.05.2009 - Reported to F-Secure 
12.07.2009 - Patches deployed automatically, F-Secure waits to
             coordinate public disclosure
< waiting for others to patch >
27.10.2009 - G-SEC releases this advisory


About G-SEC
~~~~~~~~~~~
G-SEC™  is  a  vendor independent luxemburgish led IT security consulting
group. More information available at : http://www.g-sec.lu/