Network News

X My Profile
View More Activity

Symantec Anti-Virus Vulnerability

A security researcher has uncovered a dangerous weakness in Symantec's antivirus products that could allow malware to corrupt the software and execute malicious programs on the user's computer.

Alex Wheeler, a security researcher who recently left Internet Security Systems' said there is a problem in the way that Symantec's software unwraps RAR files, a form of file compression similar to ZIP files. Wheeler found that a virus or worm hidden inside a specially crafted RAR file could be made to run on the user's machine and allow attackers to take complete control over computers running the program.

Wheeler's advisory notes that if users have configured their Symantec product to automatically scan all incoming e-mail, the vulnerability could be exploited remotely without any action on the part of the user. The advisory also says it is likely this vulnerability affects a substantial portion of Symantec's antivirus products, including its gateway server, a product widely implemented in corporate environments.

According to the Symantec advisory, this problem affects Symantec Antivirus Corporate Edition, Symantec Brightmail Anti-Spam, Symantec Client Security, Symantec Gateway Security, Norton Antivirus (for Windows and Mac), Norton Antivirus for MS Exchange, and Norton Internet Security.

This is not the first time we've seen very similarly serious vulnerabilities in antivirus products. This flaw that is very similar to others: including one Wheeler called attention to in February. Other similar flaws this year were found in products from Trend Micro, F-Secure, McAfee and ClamAV.

According to this advisory at SecurityFocus, the vulnerable portion of Symantec's code is also licensed to a substantial number of vendors with products and services that are likely affected.

The Symantec advisory says there doesn't appear to be any malware exploiting this flaw yet, but that may be just a matter of time. A ton of malware arrives as RAR files, including the recent Dasher worm.

Symantec has not yet released an update for this vulnerability, and recommends that people disable automatic scanning of RAR files. So if you're using Symantec's products, be careful not only about opening those attachments, but about scanning them as well.

Update, 1:43 p.m. ET: The earlier version of this post credited the discovery to Internet Security Systems. Wheeler recently left ISS and is now an independent security researcher. The above post has been updated to reflect that.

Update, 2:27 p.m. ET, Dec. 21: Symantec says it has posted an update through its Live Update service that will look for any activity that appears to be doing unusual things with .RAR files. The company said information about specific product updates and mitigation will be posted to theSymantec Security Response Web site later today.

By Brian Krebs  |  December 20, 2005; 1:10 PM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Guidance Software's Customer Database Compromised
Next: Daily Data Breaches


1) Where is the Symantec advisory?
2) Symantec site says Enterprise Anti-virus does not scan RAR files. Do you have additional information on what versions do and do not scan RAR files?
3) If scanning RAR files is risky, is it less risky not to scan them?

Thank you.

Posted by: Duncan | December 20, 2005 8:14 PM | Report abuse

How do you go about disabling RAR scanning?
"recommends that people disable automatic scanning of RAR files"

Posted by: Doug Campbell | December 21, 2005 11:00 AM | Report abuse

Re: Doug Campbell

If you look above in the Trackback section there is a link you can follow to PC-Doctor that will show you how to disable scanning of .RAR attachments.

Posted by: David Taylor | December 21, 2005 12:19 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company