The Antivirus Guy Blog

Keeping people up to date with antivirus and security information

Symantec AntiVirus Decomposition Buffer Overflow – Official Response

Symantec AntiVirus Decomposition Buffer Overflow.

SYM05-027
December 21, 2005
Symantec AntiVirus Decomposition Buffer Overflow

Revision History

None

Risk Impact
High

Remote Access Yes
Local Access No
Authentication Required No
Exploit publicly available No

Overview

Symantec has become aware of a buffer overflow in the AntiVirus component used to decompose RAR (Roshal Archive). A specially crafted RAR file could potentially cause this buffer overflow to occur and execute hostile content from the RAR file.

Vulnerable Products : (vulnerable builds/Maintenance Releases (MR) where indicated)

Enterprise Products

Product Version
Norton AntiVirus for Microsoft Exchange 2.18
Symantec Mail Security for Microsoft Exchange 4.0
4.5
4.6.3
Symantec AntiVirus/Filtering for Domino NT 3.1
Symantec Mail Security for Domino NT 4.0
4.1.4
Symantec AntiVirus/Filtering for Domino Ports 3.0.11
Symantec AntiVirus Scan Engine 4.1.8
4.3.12
Symantec AntiVirus for MS ISA 4.3.12
Symantec AntiVirus for MS Sharepoint 4.3.12
Symantec AntiVirus for Messaging 4.3.12
Symantec AntiVirus for NAS 4.3.12
Symantec AntiVirus Scan Engine for NetApp Filer 4.0
4.3
Symantec AntiVirus Scan Engine for NetApp NetCache 4.0
4.3
Symantec AntiVirus Scan Engine for Bluecoat 4.0
4.3
Symantec AntiVirus for Clearswift 4.3.12
Symantec AntiVirus Scan Engine for Caching 4.3.12
Symantec AntiVirus for SMTP 3.1
4.1.9
Symantec Client Security 3.x
Symantec Web Security 3.0.1
Symantec BrightMail AntiSpam 5.5
4.0
Symantec Gateway Security 5000 Series 3.0
Symantec Gateway Security 5400 Series 2.0
Symantec Gateway Security 1.0
Symantec Norton Antivirus for Macintosh Corporate Edition 9.0
Symantec Mail Security for Microsoft Exchange 5.0
4.6
4.5
4.0
Symantec AntiSpam for SMTP 3.1
Symantec AntiVirus/Filtering for Domino NT 3.1
Symantec Mail Security for Domino 4.0
4.1
Symantec AntiVirus/Filtering for Domino Ports 3.0
Symantec Scan Engine 5.0.1 and earlier
Symantec AntiVirus Scan Engine 4.3
Symantec AntiVirus Scan Engine for ISA 4.3.X
Symantec AntiVirus Scan Engine for Netapp Filer 4.3.X
Symantec AntiVirus Scan Engine for Netapp NetCache 4.3.X
Symantec AntiVirus for Caching 4.3.12 and earlier
Symantec AntiVirus for Clearswift 4.3.12 and earlier
Symantec AntiVirus Scan Engine for Microsoft Portal Server 4.3.X
Symantec AntiVirus Scan Engine for Bluecoat 4.3.X
Symantec AntiVirus Scan Engine for Filers 4.3.X
SharePoint Portal Server 2003  
Symantec AntiVirus for SMTP 3.1
4
Symantec Mail Security for SMTP 4.0
4.1
Symantec Web Security 3.01x
Symantec BrightMail AntiSpam 6.0
4.0
5.5
Symantec AntiVirus Corporate Edition 10
Symantec Norton AntiVirus 7.6
Symantec I-Gear  
Symantec AntiVirus for HandHelds – Corporate Edition  
Symantec Client Security for Nokia  

Consumer Products

Product Version
Symantec Norton Antivirus 2006
2005
2004
Symantec Norton Internet Security Professional 2006
2005
2004
Symantec Norton System Works 2006
2005
2004
Norton Personal Firewall 2006
2005
2004
Symantec Norton Antivirus for Macintosh 9.x
Symantec Norton Internet Security for Macintosh 3.x
Symantec Norton System Works for Macintosh 3.x
Symantec Norton Antivirus for Macintosh 7.x
Symantec Norton Antivirus for Macintosh 8.x
Symantec Norton Internet Security for Macintosh 2.x
Symantec Norton System Works for Macintosh 7.0
Symantec Norton Antivirus for Macintosh 9.x
Symantec Norton Internet Security for Macintosh 3.x
Symantec Norton System Works for Macintosh 3.x
Symantec AntiVirus for Handhelds All

Products Not Affected:

Product Version
Symantec Antivirus Corporate Edition 9.x – all versions
8.x – all versions
Symantec Client Security 2.x
1.x
Symantec Enterprise Firewall 8.0
Symantec Clientless VPN Gateway 4400 Series 5.0
Symantec Firewall / VPN Appliance 100/200
Symantec Gateway Security 300/400 Series 2.0

Note:

  1. As Symantec continues to investigate this issue, the list of affected products may be updated.
  2. As more information and product updates become available, this advisory will be updated to include a link to applicable downloads.
  3. Only currently supported Symantec Products will be updated. Customers using unsupported versions are encouraged to upgrade to a supported version.

Symantec Response
Symantec is currently working to create and distribute product updates for all affected products.

To date, Symantec has not had any reports of related exploits of this vulnerability.

Mitigations
Symantec Security Response posted an AntiVirus based protection signature to LiveUpdate on December 20, 2005, providing a heuristic detection for potential exploits of the Symantec decomposer RAR archive vulnerability. This signature is available though LiveUpdate, to all desktop, server and gateway product versions of Symantec’s Security products and appliance solutions that contain the decomposer RAR archive. Symantec strongly recommends that customers immediately ensure their products are up-to-date to protect against possible threats.

Advertisements

December 22, 2005 - Posted by | Antivirus News

No comments yet.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: