Flawed Symantec Products Could Allow Malicious Code Injection

Symantec has acknowledged that some of its security products are open to Denial-of-Service (DoS) attacks. Products including Symantec's Mail Security for Microsoft Exchange and anti-virus for Network Attached Storage have a flaw in the Decomposer application that is designed to loosen compressed files. The fault could result in installation of malicious code abruptly crashing the systems.

Researchers at iDefense, a security company, were the actual discoverers of the flaws. On February 26, 2008, Symantec released an advisory to explain system administrators the method of updating their software.

The advisory also explained that the first advisory was issued when the software received infected content. If the content is sufficiently malformed, it could result in consumption of a lot of memory, leading to DoS conditions. The second error is stack buffer overflow capable of causing crash down of the decomposer, again leading to a DoS and possibly code execution from remote location.

Flaws in Symantec's Decomposer tool results in DoS or compromise of several corporate security products, like the anti-virus for Network Attached Storage and Mail Security for Microsoft Exchange.

Vulnerabilities activated while processing malformed RAR files from archives could be exploited to inject malicious code onto weak systems or cause servers to crash. These could also be exploited to crash a flawed application or consume plenty of memory or run an arbitrary code.

The decomposer engine unpacks compressed files. Lately, its elements weakened Symantec products. While the problem in upgrading Decomposer files is the prime reason for the security bugs, it is also responsible for an error-creating flaw that caused much grief for system administrators in corporations in early February 2008.

In separate attempts, independent security investigators have detected buffer overflow problems in Policy Server and OfficeScan software units from Trend Micro. As an advice to system administrators, they need to access network only for the services until the patches are available.

However, according to Trend Micro, it has repaired the issue while recommending IT managers to update the latest version of software to keep themselves unaffected. Clients using the LiveUpdate service are likely to have got the patch.

Related article: Flood of Spam Spoofing the FBI & IC3

» SPAMfighter News - 3/5/2008