Researcher Claims Online Anti-virus Scanners Buggy

By Larry Seltzer  |  Posted 2004-04-07 Print this article Print

UPDATED: Online scanners from Symantec, McAfee and Panda all contain buffer overflows. One researcher claims an attacker could execute arbitrary code, another just that they could crash the browser. Panda report

An Israeli security researcher claims to have found security holes in the free online scanners of three major anti-virus companies. Rafel Ivgi, also known as "The Insider," in posts to several security mailing lists, claims that Panda ActiveScan, McAfee FreeScan, and Symantec Virus Detection all suffer from buffer overflows that could allow an attacker to crash the system and potentially execute arbitrary code.

Within several hours Panda Software reported that they had updated their control to fix the problem, and recommend that all users who have used ActiveScan in the past visit the site and run it in order to update the control.

Symantec states that "Symantec has reviewed the claim and has confirmed that there is not a buffer overflow and no arbitrary code can be executed with Symantec Security Check." McAfee states "McAfee Security has reviewed the code in McAfee FreeScan and found that the application cannot be exploited to cause a buffer overflow, no memory corruption can occur, nor can remote code be executed as described by Rafel Ivgi. Should a user be lured to a Web site that attempts to exploit the McAfee FreeScan ActiveX object, the only potential result would be that users would see an error in their Web browser, resulting in a crash in that session only. This does not represent a serious threat to end users; however, McAfee will release an update that will correct this behavior."

Thomas Kristensen, chief technology officer of Security services firm Secunia in Denmark, argues on the Full-Disclosure mailing list that Ivgis claims with regard to Symantecs and McAfees scanners are exaggerated, and that the problem with those products could at most result in a browser crash.

All three scanners operate as ActiveX controls and therefore support only Internet Explorer users on Windows. All three operate by installing the control on the users system from a Web page on the vendors site and then instructing the control to scan the system.

Ivgis basic claim is the same for all three controls: A very long parameter passed to an interface in the control causes a buffer overflow. In the case of Panda ActiveScan, the buffer need only be 256 characters. In the case of McAfee and Symantec, the buffer needs to be 700,000 characters or more.

An attacker would have to lure a user to a Web page with the malicious code for the attack. Only users who had previously visited the vendor sites and installed the controls would be vulnerable.

Ivgi also reports that the McAfee FreeScan control improperly exposes the values of the users shell folders, such as My Documents, and that the username is retrievable through this method.

Ivgi provides proof-of-concept code for all reported bugs.

Editors Note: This story was updated to include information about Symantecs response. Check out eWEEK.coms Security Center at for security news, views and analysis.
Be sure to add our security news feed to your RSS newsreader or My Yahoo page:  
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel