Advisory: Crafted Microsoft CAB file can allow arbitrary code to be run
A vulnerability has been discovered in Sophos's unpacking of Microsoft Cabinet files, whereby a Microsoft Cabinet (CAB) file could be deliberately crafted to allow an attacker to execute arbitrary code on a vulnerable installation of Sophos
Although theoretically a risk, Sophos has not seen any examples of malware attempting to employ this vulnerability.
Furthermore, the vulnerability does not prevent Sophos's desktop on-access scanner from correctly detecting viruses (and preventing actual infection) which are unpacked from affected files, so the risks of infection are very small.
Sophos has ensured that all of its products are protected against this issue.
- Where necessary, you should upgrade to versions that are unaffected.
- Customers using EM Library and Sophos small business solutions will have received these updates automatically.
| Sophos |
Affected versions | Non-affected versions | Update available |
|---|---|---|---|
| Sophos Anti-Virus for Windows 2000+ v 5 | 5.2.0 and below | 5.2.1 and above | 5 May 2006 |
| Sophos |
4.5.11 and below | 4.5.12 and above | 28 April 2006 |
| Sophos |
4.5.11 and below | 4.5.12 and above | 28 April 2006 |
| Sophos |
4.04 and below | 4.05 and above | 28 April 2006 |
| Sophos |
4.04 and below | 4.05 and above | 28 April 2006 |
| Sophos |
4.7.1 and below | 4.7.2 and above | 28 April 2006 |
| Sophos |
4.04 and below | 4.05 and above | 28 April 2006 |
| Sophos |
4.04 and below | 4.05 and above | 28 April 2006 |
| Sophos |
4.04 and below | 4.05 and above | 28 April 2006 |
| Sophos |
4.04 and below | 4.05 and above | 28 April 2006 |
| Sophos |
4.04 and below | 4.05 and above | 28 April 2006 |
| Sophos |
4.04 and below | 4.05 and above | 28 April 2006 |
| Small business solutions | Affected versions | Non-affected versions | Update available |
|---|---|---|---|
| Sophos |
4.04 and below | 4.05 and above | 28 April 2006 |
| Sophos |
4.04 and below | 4.05 and above | 28 April 2006 |
| PureMessage Small Business Edition | 4.04 and below | 4.05 and above | 28 April 2006 |
| Gateway products | Affected versions | Non-affected versions | Update available |
|---|---|---|---|
| PureMessage for Windows/Exchange | SAV version 5.2.0 and below | SAV version 5.2.1 and above | 5 May 2006 |
| PureMessage for UNIX | SAV version 4.04 and below | SAV version 4.05 and above | 28 April 2006 |
| MailMonitor for SMTP - Windows | SAV version 4.04 and below | SAV version 4.05 and above | 28 April 2006 |
| MailMonitor for SMTP - Windows | SAV version 4.04 and below | SAV version 4.05 and above | 28 April 2006 |
| MailMonitor for Notes/Domino | SAV version 4.04 and below | SAV version 4.05 and above | 28 April 2006 |
| MailMonitor for Exchange | SAV version 4.04 and below | SAV version 4.05 and above | 28 April 2006 |
Sophos thanks TippingPoint for their assistance in identifying this vulnerability.
Technical details
A flaw exists within the unpacking of Microsoft Cabinet files. Parsing a specially crafted cabinet file can lead to an exploitable heap corruption. This vulnerability is only exposed when cabinet file inspection is explicitly enabled.
Authentication is not required to exploit this vulnerability. This vulnerability could allow a remote attacker to execute arbitrary code on a vulnerable installation of Sophos
If you need more information or guidance, then please contact technical support.
- Article ID: 14934
- Created: 4 May 2006
- Last updated: 5 Oct 2006
