Symantec Confirms AV Library Flaw, Promises Patches

The anti-virus vendor adds "heuristics" exploit detection for a high-risk buffer overflow affecting more than 60 enterprise and consumer products.

Anti-virus vendor Symantec Corp. has publicly acknowledged that a high-risk buffer overflow vulnerability in its AntiVirus Library could lead to code execution attacks when RAR archive files are scanned.

One day after private security researcher Alex Wheeler flagged the issue as a serious risk, Symantec issued an advisory of its own, confirming the vulnerability exists in 64 enterprise and consumer-facing products.

"Symantec is currently working to create and distribute product updates for all affected products," the company said in a note to customers.

"To date, Symantec has not had any reports of related exploits of this vulnerability."

/zimages/5/28571.gifHigh risk flaw in Symantec AntiVirus Library. Click here to read more.

The Cupertino, Calif.-based Symantec rates the risk as "high" and warned that it could lead to remote access attacks.

The company confirmed the issue was a buffer overflow in the AntiVirus component used to decompose RAR (Roshal Archive) files.

"A specially crafted RAR file could potentially cause this buffer overflow to occur and execute hostile content from the RAR file," the advisory read.

A long list of vulnerable products include enterprise class products Norton AntiVirus for Microsoft Exchange, Symantec AntiVirus/Filtering for Domino NT, Symantec AntiVirus for SMTP, Symantec BrightMail AntiSpam and Symantec AntiVirus Corporate Edition.

The bug also affects 15 consumer products, including the widely deployed Symantec Norton AntiVirus, Symantec Norton Internet Security Professional, Norton Personal Firewall and Symantec Norton Internet Security for Macintosh.

To mitigate the risk before patches are ready, Symantec has posted an AntiVirus based protection signature to LiveUpdate to provide "heuristic detection" for potential exploits.

The update is available through LiveUpdate to all desktop, server and gateway product versions of products and appliances that contain the decomposer RAR archive hole.

"Symantec strongly recommends that customers immediately ensure their products are up-to-date to protect against possible threats."

/zimages/5/28571.gifSymantec buys anti-phishing vendor. Click here to read more.

In a published advisory, Wheeler said the vulnerability is the result of unchecked 16-bit length fields in RAR sub-block header types.

"An attacker may craft a sub-block header to overwrite heap memory with user controlled file data to execute arbitrary code. Successful attack will yield system/root-level privileges and is available through e-mail without user interaction," he explained.

Wheeler recommends that users disable the scanning of RAR compressed files, including RAR self-extracting files.

The RAR file format is commonly used for data compression and archiving and is popular among users looking to compress very large music and video files.

/zimages/5/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.