[ISN] Symantec flaw leaves opening for viruses

InfoSec News isn at c4i.org
Thu Feb 10 05:23:28 EST 2005


By Robert Lemos 
Staff Writer, CNET News.com
February 9, 2005

Symantec has issued a patch for a flaw in its scanning software that
could cause a virus to execute, rather than catch it.

The vulnerability affects an antivirus library used by the majority of
Symantec's antivirus and antispam products, including Norton
SystemWorks 2004 and Symantec Mail Security for Exchange, the security
provider said on Tuesday.

The software is aimed at a range of systems, from consumer desktops to
large corporate mail servers, meaning the flaw could be used to take
control of key corporate systems or to install programs to grab
people's identity data.

"The impact of this vulnerability is exaggerated by the fact that many
e-mail and other traffic routing gateways make use of file-scanning
utilities that make use of the vulnerable library," Symantec said in
an advisory. "This could allow an attacker to potentially exploit
high-profile systems used to filter malicious data, and potentially
allow further compromise of targeted internal networks."

Computers are at risk if they run an unpatched version of a Symantec
product that scans files to detect malicious code and if they use the
Microsoft Windows, Mac OS X, Linux, Solaris and AIX operating systems,
Symantec said.

But the flaw does not affect the latest versions of some of the
products, such as Norton Antivirus 2005, the company said.

"Symantec strongly recommends that customers ensure their products are
up-to-date to protect against this vulnerability,"the company said in
a statement. "To date, Symantec has not had any reports of related
exploits of this vulnerability."

Security information company Secunia, which rates the seriousness of
software vulnerabilities, gave the Symantec flaw its second-highest
threat grade, "highly critical."

The problem exists in how the scanning code handles a compression
format known as the Ultimate Packer for Executables (UPX). An attacker
could create a virus designed to exploit the UPX flaw and send it to
victims through e-mail or host it on a Web site. An unpatched Symantec
scanner checking incoming e-mail or the Web pages that users browse
would run the program instead of catching the virus.

"The vulnerability can be triggered by an unauthorized remote
attacker, without user interaction, by sending an e-mail containing a
crafted UPX file to the target," Internet Security Systems, the
company that found the flaw, stated in an advisory on Tuesday. The
company said it notified Symantec of the issue when it found it.

The flaw highlights the danger of weaknesses in the security software
that acts as a gateway between the unfiltered Internet and internal
corporate networks. Internet Security Systems experienced such
problems firsthand a year ago, when a flaw in its own firewall
software was targeted by a worm two days after the public release of
an advisory.

Symantec is distributing patches to its customers through its
LiveUpdate automatic update service and other mechanisms. It warned
companies that do not use those services to download the patches from
its Web site and apply them as soon as possible.

Internet Security Systems could not immediately provide a spokesperson
to comment on the issue.

The announcement of the flaw happened the same day that Microsoft
released a dozen patches to fix holes in its Windows operating system
and other applications. Microsoft also announced it intended to buy
security company Sybari, which would put the software giant in direct
competition with Symantec.

Other products that use the Symantec antivirus scanning library
include Symantec's Brightmail antispam software and Symantec Web

More information about the ISN mailing list