To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://software.silicon.com/security/0,39024655,39127781,00.htm

Symantec plugs virus scanning flaw
Software would set viruses off rather than shutting them down... Oops...

By Robert Lemos

Published: Thursday 10 February 2005

Symantec has issued a patch for a flaw in its scanning software that could cause a virus to execute, rather than catch it.

The vulnerability affects an antivirus library used by the majority of Symantec's antivirus and anti-spam products, including Norton SystemWorks 2004 and Symantec Mail Security for Exchange, the security provider said on Tuesday.

The software is aimed at a range of systems, from consumer desktops to large corporate mail servers, meaning the flaw could be used to take control of key corporate systems or to install programs to grab people's identity data.

Symantec said in an advisory: "The impact of this vulnerability is exaggerated by the fact that many email and other traffic routing gateways make use of file-scanning utilities that make use of the vulnerable library. This could allow an attacker to potentially exploit high-profile systems used to filter malicious data, and potentially allow further compromise of targeted internal networks."

Computers are at risk if they run an unpatched version of a Symantec product that scans files to detect malicious code and if they use the Microsoft Windows, Mac OS X, Linux, Solaris and AIX operating systems, Symantec said.

But the flaw does not affect the latest versions of some of the products, such as Norton Antivirus 2005, the company said.

"Symantec strongly recommends that customers ensure their products are up-to-date to protect against this vulnerability," the company said in a statement. "To date, Symantec has not had any reports of related exploits of this vulnerability."

Security information company Secunia, which rates the seriousness of software vulnerabilities, gave the Symantec flaw its second-highest threat grade, "highly critical".

The problem exists in how the scanning code handles a compression format known as the Ultimate Packer for Executables (UPX). An attacker could create a virus designed to exploit the UPX flaw and send it to victims through email or host it on a website. An unpatched Symantec scanner checking incoming email or the web pages that users browse would run the program instead of catching the virus.

Internet Security Systems, the company that found the flaw, stated in an advisory on Tuesday: "The vulnerability can be triggered by an unauthorised remote attacker, without user interaction, by sending an email containing a crafted UPX file to the target." The company said it notified Symantec of the issue when it found it.

The flaw highlights the danger of weaknesses in the security software that acts as a gateway between the unfiltered internet and internal corporate networks. Internet Security Systems experienced such problems firsthand a year ago, when a flaw in its own firewall software was targeted by a worm two days after the public release of an advisory.

Symantec is distributing patches to its customers through its LiveUpdate automatic update service and other mechanisms. It warned companies that do not use those services to download the patches from its website and apply them as soon as possible.

Internet Security Systems could not immediately provide a spokesperson to comment on the issue.

The announcement of the flaw happened the same day that Microsoft released a dozen patches to fix holes in its Windows operating system and other applications. Microsoft also announced it intended to buy security company Sybari, which would put the software giant in direct competition with Symantec.

Other products that use the Symantec antivirus scanning library include Symantec's Brightmail antispam software and Symantec Web Security.