Critical Flaw Affects Symantec AntiVirus

A flaw within Symantec AntiVirus could open users' computers to the execution of arbitrary code when a specially crafted RAR file is scanned, independent security researcher Alex Wheeler said in an advisory on his Web site Tuesday.

Wheeler's work centers on looking for remote stack, heap and buffer overflows, mainly in antivirus products. In the case of this particular flaw, the problem is a result of unchecked 16bit length fields in RAR sub-block header types.

The flaw allows an attacker to assume complete control of the affected computer, without any user interaction in the default configuration of the antivirus software. Wheeler said that a hacker could exploit the vulnerability through common Internet protocols like SMTP.

"Successful exploitation of Symantec protected systems allows attackers unauthorized control of data and related privileges," he wrote in the advisory. "It also provides leverage for further network compromise."

RAR files are being used in increasing numbers by attackers to circumvent antivirus software. Until recently, many scanners did not look inside compressed files. But now that virus writers are trying to use them as payloads for malware, it has become necessary to do so.

However, the fact that this new feature can actually open up an entirely new vulnerability may be disconcerting to some.

Until it is fixed, Wheeler recommends that Symantec users turn off RAR scanning, and practice caution when downloading any RAR file.

Wheeler has labeled the flaw as "high risk." Secunia, a Danish security firm, labeled the vulnerability "highly critical" in an advisory issued Tuesday.

Affected software includes Symantec AntiVirus Corporate Edition 8 through 10, Symantec Norton AntiVirus, and Symantec Mail Security, among other products.