[unisog] Symantec Vulnerability
Dean De Beer
ddb at plazacollege.edu
Thu Feb 10 17:23:54 GMT 2005
I think from what this bulletin from Symantec says the patch can be updated
both ways (http://www.sarc.com/avcenter/security/Content/2005.02.08.html).
Regarding the second point you made, there is an article from Watchguard
that states that the flaw can be expoited without the user opening the file
Here is the excerpt:
"Yesterday, Symantec warned of a new buffer overflow vulnerability that
affects many of their antivirus (AV) applications. By sending your users an
e-mail containing a specially-crafted attachment, an attacker could exploit
this flaw to execute code and gain total control of their computers. Your
users do not need to open the malicious e-mail in order for this attack to
succeed. If you use any of Symantec's AV products, force a LiveUpdate
immediately to ensure that you have the latest versions of their software
and scanning engine.
In a bulletin released yesterday, Symantec and ISS X-Force warned of a new
buffer overflow flaw that affects many of their antivirus (AV) products.
(For a complete list of affected products, see the "Affected Products"
section of Symantec's alert.) The buffer overflow flaw resides in one of
Symantec's older scanning engines. The vulnerable engine doesn't properly
parse UPX compressed files. UPX, or Ultimate Packer for eXecutables, is a
special compression technology used to make executable files smaller. Virus
authors often use UPX compression to minimize the size of their viruses.
By sending an e-mail containing a specially-crafted, UPX-compressed
attachment, an attacker can exploit this buffer overflow to execute code on
any computer running Symantec AV software. With Symantec's Auto-Protect
features enabled, the parsing problem occurs before the intended victim sees
the e-mail. That means the victim doesn't have to open the e-mail in order
for this attack to succeed; in fact, it can work without any user
interaction whatsoever. Once the infected e-mail is received at a valid
address on your network, the attacker could obtain full control of a
This flaw presents a critical risk. Imagine if an attacker sent a
specially-crafted attack e-mail to your entire organization. If you use
Symantec's Corporate AV solutions, the attacker could gain control of your
gateway AV server and all your clients in one fell swoop."
I hope this helps.
Dean De Beer
From: unisog-bounces at lists.sans.org [mailto:unisog-bounces at lists.sans.org]
On Behalf Of Gary Flynn
Sent: Thursday, February 10, 2005 11:34 AM
To: unisog at sans.org
Subject: [unisog] Symantec Vulnerability
1. Does anyone know if the "maintenance release" needed to
fix the corporate edition of Symantec AV will be
distributed through Liveupdate or whether it will
require a software installation distribution process?
The advisory was confusing to me on that issue. It first
"Symantec product engineers have developed and released
updates or Maintenance Releases for all impacted product
versions that were not already upgraded in the latest
product build release. Updates and Maintenance Releases
are available either through Symantec's LiveUpdate for
those products that have LiveUpdate capability or from
the Symantec Product Support site"
But later, under the heading "Symantec Antivirus
Corporate Edition and Symantec Client Security
upgrades:", it says:
"Symantec has tested and posted Maintenance Releases to
address this issue in affected Symantec AntiVirus Corporate
Edition versions for both the standalone product and the
integrated Symantec Client Security. The Maintenance Release
removes the DEC2EXE engine from the affected products and
upgrades the scan engine to a new version."
"Symantec strongly recommends customers, if they are not
already running a current non-vulnerable product
version/build, upgrade to their appropriate product
update immediately to protect against these types of
"Customers can obtain a Maintenance Release update
through the Symantec Enterprise Support
site http://www.symantec.com/techsupp. "
2. Anyone have any thoughts on the seriousness of this
defect? At first glance, it would require someone
to open a file that, perhaps they shouldn't before
Symantec would scan it. But I guess it wouldn't have
to be an executable file so more people than normal
may open it. The other thing I thought of was browser
simply browsing the web as it gets loaded into browser
cache. I wonder if there is a way to get UPX compressed
files into cache the same way.
James Madison University _______________________________________________
unisog mailing list
unisog at lists.sans.org http://www.dshield.org/mailman/listinfo/unisog
More information about the unisog