February 11, 2005
Symantec Buffer Overflow Creates Widespread Vulnerabilities
Platform: Symantec anti-virus, anti-spam, and firewall products.
Symantec Severity: High
Actual Severity: CRITICAL
Intrusion detection software vendor ISS Inc. yesterday reported a serious cross-product vulnerability in Symantec's security products, including stand-alone appliances. A buffer overflow problem in the Symantec scan engine, used in many Symantec products, could be exploited by a virus to compromise a Symantec-protected system.
Symantec acknowledges the problem, but reports that they have seen no instances of an exploit in the wild. The problem afflicts many editions of the company's consumer products for both Windows and Macintosh systems, as well as a number of Symantec enterprise products. The flaw also exists in Symantec Gateway Security 5300 and 5400 firewall appliances.
The specific module involved, DEC2EXE, is actually an obsolete component that Symantec products can live without; its function has been replaced by the Symantec AV Definition Engine, which is immune to this particular failure. Symantec says users can safely disable the DEC2EXE module by following instructions posted on its website at:
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2005020911112648
DEC2EXE is removed by the latest Symantec automatic software update for its products that support live updates. For Symantec's firewall appliances Symantec has posted a manual software fix.
Here are links the ISS and Symantec security bulletins for DEC2EXE:
http://xforce.iss.net/xforce/alerts/id/187
http://www.sarc.com/avcenter/security/Content/2005.02.08.html
Posted by Mel Beckman at February 11, 2005 9:08 AM
