Symantec Antivirus Not Antiflaw

A serious flaw has been found in Symantec's Antivirus software which allows remote attackers to gain control of of a users system.

We actually aren't fond of the 'allows remote attackers to gain control' description as it's a bit of a misnomer but it seems to be the current panic alert buzz sentance. Frailties to viruses involve third parties being able to run malicious code, they may well choose to install a back door or they may just choose to pop-up a 'hello world' window. We do however accept they are more likely to do the first!

This particular vulnerability causes a heap overflow in memory which then exposes the memory to be directly written to by the hacker. RAR files are the delivery method and when particularly large RAR's are being scanned this overwhelms the overflow opening up the hole.

What's particularly worrying is that producing the overflow is quite straighforward, the RAR's can be delivered by e-mail and the e-mail doesn't even need to be opened as all e-mails are scanned prior to being delivered to the users Inbox.

Symantec have released a patch, which while it doesn't fix the problem does detect exploits. Users can obtain the patch by updating their Antivirus software. A more direct method of protecting against this is to just disable the scanning of RAR files until a permanent fix is in place.

Have something to tell us about this article?