[unisog] Symantec Vulnerability

Dean De Beer ddb at plazacollege.edu
Thu Feb 10 17:23:54 GMT 2005

I think from what this bulletin from Symantec says the patch can be updated
both ways (http://www.sarc.com/avcenter/security/Content/2005.02.08.html).
Regarding the second point you made, there is an article from Watchguard
that states that the flaw can be expoited without the user opening the file

Here is the excerpt:

"Yesterday, Symantec warned of a new buffer overflow vulnerability that
affects many of their antivirus (AV) applications. By sending your users an
e-mail containing a specially-crafted attachment, an attacker could exploit
this flaw to execute code and gain total control of their computers. Your
users do not need to open the malicious e-mail in order for this attack to
succeed. If you use any of Symantec's AV products, force a LiveUpdate
immediately to ensure that you have the latest versions of their software
and scanning engine. 
In a bulletin released yesterday, Symantec and ISS X-Force warned of a new
buffer overflow flaw that affects many of their antivirus (AV) products.
(For a complete list of affected products, see the "Affected Products"
section of Symantec's alert.) The buffer overflow flaw resides in one of
Symantec's older scanning engines. The vulnerable engine doesn't properly
parse UPX compressed files. UPX, or Ultimate Packer for eXecutables, is a
special compression technology used to make executable files smaller. Virus
authors often use UPX compression to minimize the size of their viruses. 

By sending an e-mail containing a specially-crafted, UPX-compressed
attachment, an attacker can exploit this buffer overflow to execute code on
any computer running Symantec AV software. With Symantec's Auto-Protect
features enabled, the parsing problem occurs before the intended victim sees
the e-mail. That means the victim doesn't have to open the e-mail in order
for this attack to succeed; in fact, it can work without any user
interaction whatsoever. Once the infected e-mail is received at a valid
address on your network, the attacker could obtain full control of a
victim's PC. 

This flaw presents a critical risk. Imagine if an attacker sent a
specially-crafted attack e-mail to your entire organization. If you use
Symantec's Corporate AV solutions, the attacker could gain control of your
gateway AV server and all your clients in one fell swoop."

I hope this helps.


Dean De Beer

-----Original Message-----
From: unisog-bounces at lists.sans.org [mailto:unisog-bounces at lists.sans.org]
On Behalf Of Gary Flynn
Sent: Thursday, February 10, 2005 11:34 AM
To: unisog at sans.org
Subject: [unisog] Symantec Vulnerability


1. Does anyone know if the "maintenance release" needed to
    fix the corporate edition of Symantec AV will be
    distributed through Liveupdate or whether it will
    require a software installation distribution process?
    The advisory was confusing to me on that issue. It first

    "Symantec product engineers have developed and released
     updates or Maintenance Releases for all impacted product
     versions that were not already upgraded in the latest
     product build release. Updates and Maintenance Releases
     are available either through Symantec's LiveUpdate for
     those products that have LiveUpdate capability or from
     the Symantec Product Support site"

    But later, under the heading "Symantec Antivirus
    Corporate Edition and Symantec Client Security
    upgrades:", it says:

    "Symantec has tested and posted Maintenance Releases to
    address this issue in affected Symantec AntiVirus Corporate
    Edition versions for both the standalone product and the
    integrated Symantec Client Security. The Maintenance Release
    removes the DEC2EXE engine from the affected products and
    upgrades the scan engine to a new version."

    "Symantec strongly recommends customers, if they are not
     already running a current non-vulnerable product
     version/build, upgrade to their appropriate product
     update immediately to protect against these types of

     "Customers can obtain a Maintenance Release update
      through the Symantec Enterprise Support
      site http://www.symantec.com/techsupp. "

2. Anyone have any thoughts on the seriousness of this
    defect? At first glance, it would require someone
    to open a file that, perhaps they shouldn't before
    Symantec would scan it. But I guess it wouldn't have
    to be an executable file so more people than normal
    may open it. The other thing I thought of was browser
    cache. AV kicks off on javascript type malware when
    simply browsing the web as it gets loaded into browser
    cache. I wonder if there is a way to get UPX compressed
    files into cache the same way.


Gary Flynn
Security Engineer
James Madison University _______________________________________________
unisog mailing list
unisog at lists.sans.org http://www.dshield.org/mailman/listinfo/unisog

More information about the unisog mailing list