Symantec Patches High-Risk VulnerabilityBy Ryan Naraine | Posted 2005-02-09 Email Print
Symantec discontinues the use of the DEC2EXE parsing engine to address a highly critical flaw affecting multiple product lines.
Network security specialist Symantec Corp. has confirmed a high-risk vulnerability in multiple anti-virus and anti-spam products and warned that a successful exploit could lead to code execution attacks.
The vulnerability, which was reported by Internet Security Systems Inc.'s X-Force unit, is described as a boundary error in the DEC2EXE parsing engine used in versions of the Symantec scan engine.
"The vulnerable DEC2EXE engine contained a heap overflow that could be initiated by sending a specifically crafted UPX file that would be parsed by the vulnerable DEC2EXE engine. If successfully exploited, the attack could potentially result in remote arbitrary code execution and possible compromise of the targeted system," Symantec said in a security advisory.
In response, the Cupertino, Calif.-based company has discontinued use of the DEC2EXE engine, which is no longer required to parse compressed files. Symantec officials said the company had already deleted the vulnerable engine from the majority of its products and had planned to complete the removal from all affected product lines during upcoming maintenance updates.
A separate alert from ISS X-Force said the flaw affects all products that depend on the Symantec AntiVirus Library to push out anti-virus capabilities to desktops, servers and enterprise gateway systems.
"Several large vendors and ISPs implement Symantec's AntiVirus Library in their products. By crafting a UPX file, an attacker is able to trigger a heap overflow within the process importing the Symantec AntiVirus Library," ISS X-Force said in the alert.
The flaw affects multiple enterprise and consumer product lines, ranging from Norton AntiVirus, Symantec Mail Security, AntiVirus/Filtering, Symantec Web Security, Symantec BrightMail AntiSpam and Symantec AntiVirus Corporate Edition.
The company has published a complete list of affected and non-affected products.
Symantec has also posted hotfixes to address this issue for the affected Symantec Gateway Security 5300 and 5400 Series appliances. The fix removes the legacy DEC2EXE engine from the affected products and upgrades the scan engine to a new version.