Vulnerability Note VU#968818

Anti-virus software may not properly scan malformed zip archives

Original Release date: 10 Dec 2004 | Last revised: 14 Jan 2005


Anti-virus software may rely on corrupted headers to determine if a zip archive is valid. As a result, anti-virus software may fail to detect malicious content within a zip archive.


Information about a zip archive, such as the size of the compressed data, is placed in headers within the archive. An attacker may be able to modify these headers to indicate that an archive contains files with sizes/lengths of zero. If anti-virus software relies on zip archive headers to determine archive validity, the anti-virus software may incorrectly interpret an archive with maliciously modified headers to contain zero-length files. Consequently, the anti-virus software would fail to detect the malicious content and allow the archive into the system.

Please note that a user may still have to extract the contents of the malicious archive to trigger exploitation.


A remote attacker may be able to craft a malicious zip archive that will evade detection by anti-virus software. Once in the system, if the remote attacker can persuade the user to accesses the malicious archive, the attacker may be able to execute arbitrary code on that user's system.


Consult Anti-Virus Vendors

Users are encouraged to contact their anti-virus vendors to determine if they are vulnerable and what corrective actions to take.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
AKSUnknown24 Nov 200409 Dec 2004
Check PointUnknown24 Nov 200409 Dec 2004
CommandComUnknown24 Nov 200409 Dec 2004
Computer AssociatesUnknown-09 Dec 2004
CPANUnknown-09 Dec 2004
CyberSoftUnknown24 Nov 200409 Dec 2004
eset AntivirusUnknown-09 Dec 2004
F-SecureUnknown24 Nov 200409 Dec 2004
Finjan SoftwareUnknown24 Nov 200409 Dec 2004
FortinetUnknown24 Nov 200409 Dec 2004
KaperskyUnknown-09 Dec 2004
McAfeeUnknown-09 Dec 2004
MessageLabsUnknown24 Nov 200409 Dec 2004
RAVUnknown-09 Dec 2004
SophosUnknown-09 Dec 2004
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A



This vulnerability was publicly reported by iDefense. Thanks to Dan Plakosh for providing information concerning this issue.

This document was written by Jeff Gennari.

Other Information

  • CVE IDs: Unknown
  • Date Public: 18 Oct 2004
  • Date First Published: 10 Dec 2004
  • Date Last Updated: 14 Jan 2005
  • Severity Metric: 7.59
  • Document Revision: 106


If you have feedback, comments, or additional information about this vulnerability, please send us email.