Researcher Claims Online Anti-virus Scanners Buggy

UPDATED: Online scanners from Symantec, McAfee and Panda all contain buffer overflows. One researcher claims an attacker could execute arbitrary code, another just that they could crash the browser. Panda report

An Israeli security researcher claims to have found security holes in the free online scanners of three major anti-virus companies.

Rafel Ivgi, also known as "The Insider," in posts to several security mailing lists, claims that Panda ActiveScan, McAfee FreeScan, and Symantec Virus Detection all suffer from buffer overflows that could allow an attacker to crash the system and potentially execute arbitrary code.

Within several hours Panda Software reported that they had updated their control to fix the problem, and recommend that all users who have used ActiveScan in the past visit the site and run it in order to update the control.

Symantec states that "Symantec has reviewed the claim and has confirmed that there is not a buffer overflow and no arbitrary code can be executed with Symantec Security Check." McAfee states "McAfee Security has reviewed the code in McAfee FreeScan and found that the application cannot be exploited to cause a buffer overflow, no memory corruption can occur, nor can remote code be executed as described by Rafel Ivgi. Should a user be lured to a Web site that attempts to exploit the McAfee FreeScan ActiveX object, the only potential result would be that users would see an error in their Web browser, resulting in a crash in that session only. This does not represent a serious threat to end users; however, McAfee will release an update that will correct this behavior."

Thomas Kristensen, chief technology officer of Security services firm Secunia in Denmark, argues on the Full-Disclosure mailing list that Ivgis claims with regard to Symantecs and McAfees scanners are exaggerated, and that the problem with those products could at most result in a browser crash.

All three scanners operate as ActiveX controls and therefore support only Internet Explorer users on Windows. All three operate by installing the control on the users system from a Web page on the vendors site and then instructing the control to scan the system.

Ivgis basic claim is the same for all three controls: A very long parameter passed to an interface in the control causes a buffer overflow. In the case of Panda ActiveScan, the buffer need only be 256 characters. In the case of McAfee and Symantec, the buffer needs to be 700,000 characters or more.

An attacker would have to lure a user to a Web page with the malicious code for the attack. Only users who had previously visited the vendor sites and installed the controls would be vulnerable.

Ivgi also reports that the McAfee FreeScan control improperly exposes the values of the users shell folders, such as My Documents, and that the username is retrievable through this method.

Ivgi provides proof-of-concept code for all reported bugs.

Editors Note: This story was updated to include information about Symantecs response.

/zimages/2/28571.gifCheck out eWEEK.coms Security Center at for security news, views and analysis.
Be sure to add our security news feed to your RSS newsreader or My Yahoo page: