Symantec Confirms Serious AV Security Flaw

Software developer Symantec Corporation has confirmed a high-risk buffer-overflow security vulnerability in its AntiVirus Library when scanning RAR archives.

Symantec Corporation has publicly acknowledged a serious security vulnerability in its AntiVirus Library which could lead to execution of arbitrary code when scanning RAR archive files. The issue impacts a dozens of Symantec’s enterprise and consumer products for Windows, as well as recent antivirus products for Macintosh, Linux, Solaris, AIX and handheld devices.

Symantec rates the vulnerability as “high” risk, and says it is “currently working to create and distribute product updates for all affected products.”

Symantec’s statement comes a day after security researcher Alex Wheeler published an public advisory about the problem (PDF).

The issue involves multiple unchecked 16-bit fields in RAR archive sub-block header types. In theory, an attacker could craft an RAR archive to overwrite critical areas of memory with arbitrary data; when executed, this code could execute an attack granting system-wide privileges to the affected system. Since Symantec’s antivirus products scan files coming in via email and other means automatically, the user would not have to view an email message or open an attachment to trigger the attack: it would happen automatically.

To date, there are no known exploits of this bug. As an interim measure, users could consider disabling scans of RAR compressed files and RAR self-extracting archives.

The RAR compression format is relatively popular, particularly among users compressing large audio or video files. As a result, virus creators have increasingly begun bundling malware into RAR archive files to sneak “under the radar” of antivirus products operating on mail servers and other perimeters of networks. Antivirus products can typically scan the contents ZIP archives, but not all can yet scan inside RAR files. Symantec’s products can do so, and the security bug lies within that capability.