Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Zip bombs are fun. I discovered a vulnerability in a security product once where it wouldn’t properly scan a file for malware if the file was or contained a zip archive greater than a certain size.

The practical effect of this was you could place a zip bomb in an office xml document and this product would pass the ooxml file through even if it contained easily identifiable malware.



Eh I got news for ya.

The file size problem is still an issue for many big name EDRs.


Undoubtedly. If you go poking around most any security product (the product I was referring to was not in the EDR space,) you'll see these sorts of issues all over the place.


It have to be the way it is.

Scanning them are resources intensive. The choice are (1) skip scanning them; (2) treat them as malware; (3) scan them and be DoS'ed.

(deferring the decision to human iss effectively DoS'ing your IT support team)


Option #4, detect the zip bomb in its compressed form, and skip over that section of the file. Just like the malware ignores the zip bomb.


Just the fact that it contains a zip bomb makes it malware by itself.


It does not have to be the way it is. Security vendors could do a much better job testing and red teaming their products to avoid bypasses, and have more sensible defaults.


is that endpoint detection and response?


Yes




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: