'High' risk in Symantec antivirus software flaw

By Colin Barker

Story last modified Wed Dec 21 08:06:00 PST 2005
Symantec's antivirus software contains a vulnerability that could be
exploited by a malicious hacker to take control of a system, the company
said late Tuesday.

According to Symantec, the bug, which affects a range of the company's
security products, is a "high" risk. Denmark security company Secunia has
labeled it "highly critical."

According to an advisory issued by Secunia, the bug affects most of
Symantec's products, including enterprise and home user versions of Symantec
AntiVirus, Symantec Norton AntiVirus and Symantec Norton Internet Security,
across the Windows and Macintosh platforms.

The vulnerability is within Symantec AntiVirus Library, which provides file
format support for virus analysis. "During decompression of RAR files,
Symantec is vulnerable to multiple heap overflows allowing attackers
complete control of the system(s) being protected," said security consultant
Alex Wheeler, who first discovered the flaw. "These vulnerabilities can be
exploited remotely, without user interaction, in default configurations
through common protocols such as SMTP."

RAR is a native format for WinRAR, which is used to compress and decompress
data. So far, the vulnerability has been reported in Dec2Rar.dll version and, according to Wheeler, potentially affects all Symantec
products that use the DLL. The full list of products affected can be seen

Symantec has not yet released a patch to address this problem. In the
meantime, Wheeler recommends that users "disable scanning of RAR-compressed
files until the vulnerable code is fixed."

This is not the first vulnerability Wheeler has discovered. In October, he
highlighted a similar flaw in Kaspersky Lab's antivirus software, which was
later acknowledged by the company. Again, it was a heap overflow

In February, he found a different heap overflow vulnerability in Symantec's
antivirus software. 

You are a subscribed member of the infowarrior list. Visit 
www.infowarrior.org for list information or to unsubscribe. This message 
may be redistributed freely in its entirety. Any and all copyrights 
appearing in list messages are maintained by their respective owners.

Reply via email to