RAR vulnerability reported for antivirus software
By Steve Malone
Posted on 22 Dec 2005 at 10:53
A 'critical' vulnerability has been discovered in Symantec's antivirus software, according to independent security researcher Alex Wheeler. The problem, he believes, could mean that the anti-virus software could actually let in the very malware that it is designed to identify and block. Security firm Secunia has labelled the vulnerability as 'highly critical'.
The problem lies with RAR compressed files. Increasingly this type of file is being used by remote hackers to deliver viruses and other malware to victims' machines. As a result, anti virus software now scans the contents of these files as a matter of routine.
However, according to Wheeler, there is a problem with a boundary error in the file Dec2Rar.dll version 22.214.171.124 used by a wide number of Symantec products. When Symantec opens the files to examine the contents there are unchecked 16bit length fields in RAR sub-block header types. During the decompression of RAR files Symantec antivirus software is vulnerable to multiple heap overflows. As a result, an attacker could be able to gain control of the system being protected.
In his advisory Wheeler writes: 'Successful exploitation of Symantec protected systems allows attackers unauthorised control of data and related privileges. It also provides leverage for further network compromise.'
The problem affects almost the entire range of Symantec anti virus products from the gateway and server down to clients across most platforms. It may also affect a number of other vendors who license Symantec technology for their own products.
The danger is further heightened because scanning of RAR files is part of the default configuration. Because of this Symantec antivirus users are open to attack whether or not they choose to open or read the email. The recommendation is that users should disable RAR file checking until Symantec fixes the problem.
Wheeler's findings can be viewed on his site
- Is it worth upgrading a media centre to Windows 8?
- Flickr redesign: is it enough to tempt photographers back?
- Hands on with the new Google Maps
- Nokia Lumia 925 review: first look
- Why I won't subscribe to Creative Cloud
- GoPro camera strapped to a remote-control helicopter: the ultimate boy's toy
- Acer Iconia A1 review: first look
- Acer Aspire P3 review: first look
- Acer Aspire R7 review: first look
- How we produce the PC Pro podcast
- Yes, I write down my passwords
- How to deal with a ransomware attack
- How secure is your Wi-Fi network?
- How QR codes caught out the security pros
- Why I do not trust Do Not Track... yet
- The hard disks you can "secure" with a single-digit password
- Why I've started using a password manager
- Time to kill off CAPTCHA
- Are today's young people Generation I (for insecure)?
- Ransomware that's better made than antivirus software