Symantec Anti-Virus Vulnerability
A security researcher has uncovered a dangerous weakness in Symantec's antivirus products that could allow malware to corrupt the software and execute malicious programs on the user's computer.
Alex Wheeler, a security researcher who recently left Internet Security Systems' said there is a problem in the way that Symantec's software unwraps RAR files, a form of file compression similar to ZIP files. Wheeler found that a virus or worm hidden inside a specially crafted RAR file could be made to run on the user's machine and allow attackers to take complete control over computers running the program.
Wheeler's advisory notes that if users have configured their Symantec product to automatically scan all incoming e-mail, the vulnerability could be exploited remotely without any action on the part of the user. The advisory also says it is likely this vulnerability affects a substantial portion of Symantec's antivirus products, including its gateway server, a product widely implemented in corporate environments.
According to the Symantec advisory, this problem affects Symantec Antivirus Corporate Edition, Symantec Brightmail Anti-Spam, Symantec Client Security, Symantec Gateway Security, Norton Antivirus (for Windows and Mac), Norton Antivirus for MS Exchange, and Norton Internet Security.
This is not the first time we've seen very similarly serious vulnerabilities in antivirus products. This flaw that is very similar to others: including one Wheeler called attention to in February. Other similar flaws this year were found in products from Trend Micro, F-Secure, McAfee and ClamAV.
The Symantec advisory says there doesn't appear to be any malware exploiting this flaw yet, but that may be just a matter of time. A ton of malware arrives as RAR files, including the recent Dasher worm.
Symantec has not yet released an update for this vulnerability, and recommends that people disable automatic scanning of RAR files. So if you're using Symantec's products, be careful not only about opening those attachments, but about scanning them as well.
Update, 1:43 p.m. ET: The earlier version of this post credited the discovery to Internet Security Systems. Wheeler recently left ISS and is now an independent security researcher. The above post has been updated to reflect that.
Update, 2:27 p.m. ET, Dec. 21: Symantec says it has posted an update through its Live Update service that will look for any activity that appears to be doing unusual things with .RAR files. The company said information about specific product updates and mitigation will be posted to theSymantec Security Response Web site later today.
Posted by: Duncan | December 20, 2005 8:14 PM | Report abuse
Posted by: Doug Campbell | December 21, 2005 11:00 AM | Report abuse
Posted by: David Taylor | December 21, 2005 12:19 PM | Report abuse
The comments to this entry are closed.