RAR vulnerability reported for antivirus software

By Steve Malone

Posted on 22 Dec 2005 at 10:53

A 'critical' vulnerability has been discovered in Symantec's antivirus software, according to independent security researcher Alex Wheeler. The problem, he believes, could mean that the anti-virus software could actually let in the very malware that it is designed to identify and block. Security firm Secunia has labelled the vulnerability as 'highly critical'.

The problem lies with RAR compressed files. Increasingly this type of file is being used by remote hackers to deliver viruses and other malware to victims' machines. As a result, anti virus software now scans the contents of these files as a matter of routine.

However, according to Wheeler, there is a problem with a boundary error in the file Dec2Rar.dll version 3.2.14.3 used by a wide number of Symantec products. When Symantec opens the files to examine the contents there are unchecked 16bit length fields in RAR sub-block header types. During the decompression of RAR files Symantec antivirus software is vulnerable to multiple heap overflows. As a result, an attacker could be able to gain control of the system being protected.

In his advisory Wheeler writes: 'Successful exploitation of Symantec protected systems allows attackers unauthorised control of data and related privileges. It also provides leverage for further network compromise.'

The problem affects almost the entire range of Symantec anti virus products from the gateway and server down to clients across most platforms. It may also affect a number of other vendors who license Symantec technology for their own products.

The danger is further heightened because scanning of RAR files is part of the default configuration. Because of this Symantec antivirus users are open to attack whether or not they choose to open or read the email. The recommendation is that users should disable RAR file checking until Symantec fixes the problem.

Wheeler's findings can be viewed on his site