High Risk Flaw in Symantec AntiVirus Library

An independent security researcher on Tuesday flagged an unpatched flaw in the Symantec AntiVirus Library and warned that attackers could exploit the bug to execute arbitrary code when a malicious RAR archive is scanned.

In a published advisory, here in PDF form, researcher Alex Wheeler said the vulnerability is the result of unchecked 16-bit length fields in RAR sub-block header types.

“An attacker may craft a sub-block header to overwrite heap memory with user controlled file data to execute arbitrary code. Successful attack will yield system/root-level privileges and is available through e-mail without user interaction,” Wheeler said.

The RAR file format is widely used for data compression and archiving and is popular among users looking to compress very large music and video files.

However, virus writers are packing malware into RAR files to bypass perimeter defense systems.

Anti-virus vendors such as Symantec Corp. have added RAR archive scanning to their products, but the latest vulnerability points to a new problem.

The Symantec AntiVirus Library powers anti-virus capabilities to desktop, server and gateway systems.

It is also used by several large vendors and ISPs to implement Symantecs AntiVirus Library in third-party products.

/zimages/3/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

During decompression of RAR files, Wheeler said the library is vulnerable to multiple heap overflows allowing attackers “complete control” of the system being protected.

“These vulnerabilities can be exploited remotely without user interaction in default configurations through common protocols such as SMTP.”

In the advisory, Wheeler said successful exploitation could give a malicious hacker unauthorized control of data and related privileges.

“It also provides leverage for further network compromise,” he added.

“In default configurations, [Symantec] users are likely vulnerable regardless of whether they choose to open or read the e-mail,” Wheeler said.

/zimages/3/28571.gifRead more here about Symantec releasing patches for a security vulnerability in several enterprise and consumer products.

Wheeler recommends that users disable the scanning of RAR compressed files, including RAR self-extracting files.

Affected products include Symantec AntiVirus Corporate Edition 8.0, Symantec AntiVirus Corporate Edition, Symantec AntiVirus for Caching, Symantec AntiVirus for Microsoft Office, Symantec AntiVirus Scan Engine and Symantec BrightMail AntiSpam.

The Norton AntiVirus and Internet Security Suite are also vulnerable.

Editors Note: This story was updated to correct recommendations from researcher Alex Wheeler.

/zimages/3/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.