[ISN] 'High' risk in Symantec antivirus software flaw

From: InfoSec News (isn@private)
Date: Wed Dec 21 2005 - 23:03:49 PST


http://news.com.com/High+risk+in+Symantec+antivirus+software+flaw/2100-1002_3-6004097.html

By Colin Barker 
Special to CNET News.com
December 21, 2005

Symantec's antivirus software contains a vulnerability that could be
exploited by a malicious hacker to take control of a system, the
company said late Tuesday.

According to Symantec, the bug, which affects a range of the company's
security products, is a "high" risk. Denmark security company Secunia
has labeled it "highly critical."

According to an advisory issued by Secunia, the bug affects most of
Symantec's products, including enterprise and home user versions of
Symantec AntiVirus, Symantec Norton AntiVirus and Symantec Norton
Internet Security, across the Windows and Macintosh platforms.

The vulnerability is within Symantec AntiVirus Library, which provides
file format support for virus analysis. "During decompression of RAR
files, Symantec is vulnerable to multiple heap overflows allowing
attackers complete control of the system(s) being protected," said
security consultant Alex Wheeler, who first discovered the flaw.
"These vulnerabilities can be exploited remotely, without user
interaction, in default configurations through common protocols such
as SMTP."

RAR is a native format for WinRAR, which is used to compress and
decompress data. So far, the vulnerability has been reported in
Dec2Rar.dll version 3.2.14.3 and, according to Wheeler, potentially
affects all Symantec products that use the DLL. The full list of
products affected can be seen here.

Symantec has not yet released a patch to address this problem. In the
meantime, Wheeler recommends that users "disable scanning of
RAR-compressed files until the vulnerable code is fixed."

This is not the first vulnerability Wheeler has discovered. In
October, he highlighted a similar flaw in Kaspersky Lab's antivirus
software, which was later acknowledged by the company. Again, it was a
heap overflow vulnerability.

In February, he found a different heap overflow vulnerability in
Symantec's antivirus software.



_________________________________________
Earn your Master's degree in Information Security ONLINE
www.msia.norwich.edu/csi
Study IA management practices and the latest infosec issues.
Norwich University is an NSA Center of Excellence.



This archive was generated by hypermail 2.1.3 : Wed Dec 21 2005 - 23:11:03 PST