Symantec Multiple Products UPX Parsing Engine Buffer Overflow

[stormbyte]

SS X-Force has reported a vulnerability in multiple Symantec products, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to a boundary error in the DEC2EXE parsing engine used by the antivirus scanning functionality when processing UPX compressed files. This can be exploited to cause a heap-based buffer overflow via a specially crafted UPX file.

http://secunia.com/advisories/14179/

Mariusz
stormbyte.com

[ronjor]

Sounds a lot like this one posted yesterday.

http://www.wilderssecurity.com/showthread.php?t=65646

[Blackcat]

Quote:

Originally Posted by stormbyte

Another reason to switch to ArcaVir?
Mariusz

Or to any of many other worthy AV's Possibly.

But I am sure that Symantec will have a fix for this soon. In fact they already have by the post that Ronjor has shown above!!!!!!

Too early to jump ship yet, particularly when your new version has only just come out! ArcaVir has had no time to settle down yet

Mks-Vir/ArcaVir can stand on its own two legs without (constant) plugging of switching to this AV because of shortcomings/vulnerabilities in other AV programs.

No disrespect, Mariusz, you have a good product.

[ronjor]

Symantec Patches High-Risk Vulnerability

Quote:

In response, the Cupertino, Calif.-based company has discontinued use of the DEC2EXE engine, which is no longer required to parse compressed files. Symantec officials said the company had already deleted the vulnerable engine from the majority of its products and had planned to complete the removal from all affected product lines during upcoming maintenance updates.

[Stefan Kurtzhals]

The funny part is, Symantec added a heuristic detection to catch files that contain this exploit (beside updating their scan engine).

[stormbyte]

Quote:

Originally Posted by Blackcat

Or to any of many other worthy AV's Possibly.

But I am sure that Symantec will have a fix for this soon. In fact they already have by the post that Ronjor has shown above!!!!!!

Problem with Norton - there are milions of outdated copies out there. Many of them are just trial versions that expired. People using them will think that they are protected.

Quote:

Too early to jump ship yet, particularly when your new version has only just come out! ArcaVir has had no time to settle down yet

mks_vir has been around for more then 17 years. Program was designed for polish market only but still..

Quote:

Mks-Vir/ArcaVir can stand on its own two legs without (constant) plugging of switching to this AV because of shortcomings/vulnerabilities in other AV programs.

Sorry but as far as I remember this was my first post about vulnerabilities in other AV programs. Please correct me if I'm wrong.

Mariusz

www.stormbyte.com