‘Critical’ Symantec AV security flaw
p2pnet.net News View:- Secunia today gave its Highly Critical rating to a vulnerability in multiple Symantec products that could be exploited by malicious hackers.
Affected products include most Symantec anti-virus and anti-spam applications such as Norton SystemWorks 2004 and Symantec Mail Security for Exchange.
Reported by ISS X-Force, the hole is caused by a boundary error in the DEC2EXE parsing engine used by the antivirus scanning functionality when processing UPX compressed files, says Secunia.
“This can be exploited to cause a heap-based buffer overflow via a specially crafted UPX file.”
Symantec admits, “An attacker sending a specifically crafted UPX file could potentially compromise the targeted system”.
However, it says the DEC2EXE engine is no longer needed to parse compressed files, going on:.
“Prior to ISS contacting Symantec with this vulnerability, Symantec had already removed the DEC2EXE engine from the scan engine upgrades implemented in the majority of Symantec products. Also, Symantec had planned the DEC2EXE engine removal from all affected Symantec product versions during upcoming maintenance updates.”
However, be that as it may, Symantec hasn’t yet issued a patch, as p2pnet readers point out in the comments below.
Updates or Maintenance Releases for all impacted product versions that weren’t already revised in the latest product build release are either through Symantec’s LiveUpdate for those products that have LiveUpdate capability, or from the Symantec Product Support.
Something you think we should know? tips[at]p2pnet.net
===================
See:-
Highly Critical - Symantec Multiple Products UPX Parsing Engine Buffer Overflow, Secunia, February 10, 2005
no longer needed – Symantec UPX Parsing Engine Heap Overflow, Symantec, February 8, 2005
February 10th, 2005 at 8:56 pm
Stay tuned Symantec has not issued a patch for this yet…….
February 10th, 2005 at 8:58 pm
Seriously:::::::::::::::::::;;;
Handlers Diary February 9th 2005
Updated February 10th 2005 19:38 UTC (Handler: Erik Fichtner)
* Updated: Serious Symantec Vulnerability, 1-day exploits, and the missing 13th patch
Serious Symantec Vulnerability
Update: It appears that Symantec has not actually released the patches as is mentioned on their web site. We have not found any patches for the Symantec Antivirus Corporate Edition 8 and 9. We are investigating this futher.
http://www.sarc.com/avcenter/security/Content/2005.02.08.html
ISS X-Force has found a serious heap overflow vulnerability in many versions of the Symantec UPX decompression engine. As some of you may be aware, most modern trojans are packed with a combination of obfuscating and compression methods to evade detection; a component of which is UPX compression. It is conjectured that malware will soon take advantage of this attack to evade, disable, and possibly damage Symantec security products. Please examine the list of products posted by SARC and take immediate action to remedy any vulnerability you might be exposed to. Hotfixes are available. Stop reading and go patch now. This webpage will be here when you get back, which is more than we can say for your browsing experience should you decide NOT to take action.
Further information is available athttp://xforce.iss.net/xforce/alerts/id/187