While the deployment of antivirus software on systems is of course intended to add a protective layer for systems, sometimes there are bugs present that themselves present a vulnerability that can be exploited by attackers. Such is the case for several of Symantec's products which have been discovered to be improperly handling CAB files, which may allow an attacker to remotely gain administrative privileges and execute arbitrary code according to an alert issued by the United States Computer Emergency Readiness Team (US-CERT) last week.
The vulnerable products include:
- Endpoint Protection 11.0
- Endpoint Protection Small Business Edition 12.0
- AntiVirus Corporate Edition 10.x
- Symantec Scan Engine (SSE) 5.2.7.x and prior (EOL)
The problem stems from legacy versions of the decomposer which fail to perform the required bounds checks on some file types when parsing the content that is to be scanned from the CAB file archive, according to Symantec. The result could be a denial of service crash application, leaving systems vulnerable if an attacker targets the vulnerability with malformed CAB files, though the company has not been able to confirm themselves that there is the potential for remote execution.
"Successful targeting of this nature would require the attacker to be able to get their maliciously formatted archive past established email security policies to be processed on a system. This may lessen the success of any potential attempts of this nature though it does not reduce the severity if targeting is successful," Symantec acknowledged.
The company has no plans to patch the Endpoint Protection 11 product, as it employs an older version of the scan engine, and the vulnerability is not present in newer versions of the process.
"Symantec is aware of the issue published by US-CERT on November 5, 2012 and suggests that customers upgrade to the latest versions for optimal safety. If a customer is unable to upgrade, Symantec is providing instructions for a workaround to mitigate the issue," Symantec's Pamela Reese told Security Bistro.
It is recommended that users upgrade to the Endpoint Protection 12.1 version of the product, and in the mean time either disable CAB file or compressed file scanning in the manual and e-mail scanning tools.
US-CERT also recommends using the Microsoft Enhanced Mitigation Experience Toolkit (EMET), which could be employed to assist in preventing exploitation of the vulnerability, as well as enabling of Data Execution Prevention (DEP) in conjunction with any patches, but advises that the use of DEP should not be considered a complete workaround for the vulnerabilities.