 |
 Symantec's virus scanning module buggy
February 10, 2005
Symantec has issued a patch plugging a hole in its scanning software that could cause a virus to execute, rather than catch it.
More than thirty Symantec's products are affected, including Norton Antivirus 2004 and Norton Internet Security 2004 (pro) for home users. The detailed information about the scare is available on Symantec's Security Response website.
Symantec rates the vulnerabilities as a "high risk impact" and recommends users patch their software via its LiveUpdate service.
Not only home systems are affected, but because the vulnerability through the cross-platform interdependency spreads to the whole bunch of other Symantec products, such as BrightMail AntiSpam, corporate networks and mail-routing servers could be compromised.
"The impact of this vulnerability is exaggerated by the fact that many e-mail and other traffic routing gateways make use of file-scanning utilities that make use of the vulnerable library," Symantec said in an advisory. "This could allow an attacker to potentially exploit high-profile systems used to filter malicious data, and potentially allow further compromise of targeted internal networks."
The problem exists in how the scanning code handles a compression format known as UPX (the Ultimate Packer for Executables). An attacker could create a virus designed to exploit the UPX flaw and send it to victims through e-mail or host it on a Web site. An unpatched Symantec scanner checking incoming e-mail or the Web pages that users browse would run the program instead of catching the virus. Technically, maliciously constructed UPX files could be created to cause a heap-based buffer overflow. This in turn makes it possible for malicious hackers to inject hostile code onto vulnerable systems, allowing them to be taken over by attackers.
Newer products, such as Symantec's Norton Internet Security 2005 are not affected by this fault because the company dropped the DEC2EXE scan engine from its latter software suites.
|
|
