zapjb
12-21-2005, 05:10 PM
Symantec's range of antivirus software is under imminent threat from a loophole discovered by an independent security expert, who says the flaw could permit certain virus or worms to attack and destroy programs on users' PCs.
Alex Wheeler, an erstwhile Internet Security Systems consultant is said to have identified and announced the weak code area. Subsequently, Symantec issued a note to all users, through its DeepSight Threat Management System, informing and recommending steps to tackle the issue. Wheeler has said that the weakness is resident in the process of unzipping RAR compressed files. RAR files are formed by the WinRAR compression tool, designed and sold by RarLab. The RAR file type is popularly used for compressing and archiving data, especially huge music or video files.
If the RAR file is created in a certain malicious manner, it could tuck into its fold a virus or worm designed to run amok on the PC and gain destructive control of the machine.
The loophole has been christened "Highly critical" by software flaw monitor Secunia and "High" by its own parent, Symantec. The weak code is capable of causing what is known as a “heap overflow”, which further allows a hacker to implement random coding when an infected RAR archive is under scanning. According to Wheeler, the loophole is a consequence of non-checked 16-bit fields in RAR sub-block header formats.
Further, the advisory issuance warns that if the Symantec products have been aligned to check all incoming mail, the loophole could be taken advantage of from remote access without any other interaction from the user's end. The probability that most of the Symantec product range falls under this threat is also high, including its gateway service which is used for corporate setups. The problem definitely influences Symantec Antivirus Corporate Edition, Symantec Client Security, Symantec Brightmail Anti-Spam, Symantec Gateway Security, Norton Antivirus, both for Windows and Macintosh, Norton Internet Security and Norton Antivirus for MS Exchange. Worse, the code area afflicted with the weakness is licensed heavily to several vendors with numerous services and products at risk.
The warning from Wheeler says that though the flaw has not been really attacked yet, the danger is very potentially heavy, so to say. Dasher worm, the recently identified virus, came in hordes via RAR files.
Symantec users do not have any updated patch available to ward off the threat. In the meantime, Symantec has suggested that users disable auto-scanning of RAR type files and exercise care over opening such attachments too.
Historically, antivirus software has often been affected by such weaknesses and problems. This is the second instance of weakness in scanning functions of Symantec discovered by Wheeler. Earlier, in February, a similar scanning weakness was found by him vis-à-vis UPX type files. Wheeler is a reputed security expert specializing in discovering and analyzing security software flaws. Recently in 2005 itself, he unearthed some major flaws in big brand products like those of McAfee, Kaspersky Labs, Trend Micro, F-Secure and ClamAV. Every loophole discovered was focused on anti-virus scanning of compressed file types.
:source: Source: http://www.whatistheword.com/story/SciTech_437.html
Alex Wheeler, an erstwhile Internet Security Systems consultant is said to have identified and announced the weak code area. Subsequently, Symantec issued a note to all users, through its DeepSight Threat Management System, informing and recommending steps to tackle the issue. Wheeler has said that the weakness is resident in the process of unzipping RAR compressed files. RAR files are formed by the WinRAR compression tool, designed and sold by RarLab. The RAR file type is popularly used for compressing and archiving data, especially huge music or video files.
If the RAR file is created in a certain malicious manner, it could tuck into its fold a virus or worm designed to run amok on the PC and gain destructive control of the machine.
The loophole has been christened "Highly critical" by software flaw monitor Secunia and "High" by its own parent, Symantec. The weak code is capable of causing what is known as a “heap overflow”, which further allows a hacker to implement random coding when an infected RAR archive is under scanning. According to Wheeler, the loophole is a consequence of non-checked 16-bit fields in RAR sub-block header formats.
Further, the advisory issuance warns that if the Symantec products have been aligned to check all incoming mail, the loophole could be taken advantage of from remote access without any other interaction from the user's end. The probability that most of the Symantec product range falls under this threat is also high, including its gateway service which is used for corporate setups. The problem definitely influences Symantec Antivirus Corporate Edition, Symantec Client Security, Symantec Brightmail Anti-Spam, Symantec Gateway Security, Norton Antivirus, both for Windows and Macintosh, Norton Internet Security and Norton Antivirus for MS Exchange. Worse, the code area afflicted with the weakness is licensed heavily to several vendors with numerous services and products at risk.
The warning from Wheeler says that though the flaw has not been really attacked yet, the danger is very potentially heavy, so to say. Dasher worm, the recently identified virus, came in hordes via RAR files.
Symantec users do not have any updated patch available to ward off the threat. In the meantime, Symantec has suggested that users disable auto-scanning of RAR type files and exercise care over opening such attachments too.
Historically, antivirus software has often been affected by such weaknesses and problems. This is the second instance of weakness in scanning functions of Symantec discovered by Wheeler. Earlier, in February, a similar scanning weakness was found by him vis-à-vis UPX type files. Wheeler is a reputed security expert specializing in discovering and analyzing security software flaws. Recently in 2005 itself, he unearthed some major flaws in big brand products like those of McAfee, Kaspersky Labs, Trend Micro, F-Secure and ClamAV. Every loophole discovered was focused on anti-virus scanning of compressed file types.
:source: Source: http://www.whatistheword.com/story/SciTech_437.html