OK, so what do Norton AV, Kaspersky AV, AVG AV, Norman AV, Ad-Aware, Spybot Search&Destroy and all Windows versions from NT4.0SP1 to Windows Server 2003 SP1 all have in common? A rather nasty design flaw apparently.
Reportedly “there is a design flaw in the way that NTDLL performs path conversion between DOS style path names and NT syle path names. Although many attack vectors are possible, in this paper [see later] some proof of concept cases are covered”. “This issue occurs because the operating system uses multiple differing algorithms to resolve file paths. Attackers may exploit this issue to bypass security software such as antivirus and antispyware products. Other attacks may also be possible.”, continues Symantec.
The folk at SANS ISC have verified the aforementioned behaviour. Make sure your antivirus signatures are up to date.
[tags]Antivirus, Exploit, NTDLL, Path conversion, Vulnerability[/tags]
