Affected products :
- Global Protection 2009 (Hotifx)
Internet Security 2009 (Hotifx)
Panda Antivirus Pro 2009 (Hotfix)
Panda Security for Business with Exchange
Panda Security for Business
Panda Security for Enterprise
Panda GateDefender Integra (patched through automatic updates)
Panda GateDefender Performa (patched through automatic updates)
Panda AdminSecure (patched thorugh automatic updates)
- Panda Managed Office Protection
Quote : "What virus protection guarantees does TrustLayer offer?
With respect to the antivirus filtering service, TrustLayer
offers a 100% virus-free contractual guarantee."
Quote: "Panda Security is one of the world's leading creators
and developers of technologies, products and services for
keeping clients' IT resources free from viruses and other
computer threats at the lowest possible Total Cost of Ownership."
The parsing engine can be bypassed by a specially crafted CAB
The bug results in denying the engine the possibility to inspect
code within CAB archives. There is no inspection of the content
at all and hence the impossibility to detect malicious code.
IV. Disclosure timeline
13/04/2009 : Send proof of concept CAB, description the terms under which
I cooperate and the planned disclosure date
13/04/2009 : Panda acks receipt and starts investigating
15/04/2009 : Panda denies DoS and bypass condition and considers the bug a reporting
issue as a MAX Size rule blocks the sample.
16/04/2009 : Ask if the Gatedefender product ranges, detects, flags or
blocks the POC file.
17/04/2009 : Provide a new POC file to Panda that aims at evading
the Max Size rule and detection.
17/04/2009 : Panda acks receipt and will investigate.
20/04/2009 : Inform Panda that I sent the wrong POC on the 17/04/2009
and attached the correct one.
28/04/2009 : Ping Panda for updates
28/04/2009 : Panda states that they are planning the patch timeline
and will inform me asap.
21/05/2009 : Panda informs me of the release of hotfixes and affected
22/05/2009 : Ask for clarification on affected products
22/05/2009 : Release of this advisory.