Flaw opens antivirus gate

Firms updating products against image risk

Antivirus vendors are struggling to update their products to deal with a new loophole that prevents antivirus gateways from spotting malware disguised as HTML images.

The flaw affects HTML data using the RFC2397 image encoding standard, an official IETF standard for encoding content within the net's URL scheme.

If systems are left unpatched, hackers could create attacks that would bypass network antivirus filters. For once users of Microsoft's Internet Explorer are not at risk, as it does not implement RFC2397 and so ignores all images encoded in this way, legitimate or otherwise. But browsers that fully implement IETF standards, such as Firefox and Mozilla, are at risk. Other programs that process HTML, such as email clients, may also be vulnerable.

Fernando Rynne of antivirus vendor Trend Micro, said, "We have started work on filtering RFC2397 data in our gateway product but it's not a trivial thing as we have to update our scan engine. It's not something we can do overnight."

Until filtering systems are updated to deal with the vulnerability, firms should ensure that antivirus signatures are kept up to date at the desktop level.

Fred Cohen of analyst firm Burton Group said buyers should demand a more proactive approach from their antivirus providers. "Firms pay millions of dollars per year to update their antivirus signatures because some school kid wrote a virus," he said. "The approach that antivirus vendors are taking is not aimed at ensuring the integrity of computer systems, but to ensure the continuity of their business model."