Symantec AV RAR library vulnerability
Yesterday, Alex Wheeler released details of a vulnerability that appears to span many Symantec A/V products in the routines for decoded RAR compressed files. Symantec is apparently working feverishly on a fix, but for the moment the recommendation is to disable scanning of these files (which I suppose is fine if we can convince the users not to open/uncompress them until Symantec has a fix or they can be scanned by some other A/V product) or block them completely at gateways/proxies. We are not currently aware of exploits in the wild, but the concern is that this has occurred so close to the end-of-year holidays, even if a fix does come out in the next few days, will people be around to apply it.
For complete details see, the Bugtraq posting, the Secunia advisory, and what I believe is Alex's paper.
We'll bring you more info as it becomes available.
Update: Symantec is apparently distributing a new pattern/definition that may detect the malformed RAR files while they continue to work on fixing the underlying vulnerability.
----------------------
Jim Clausing, jclausing at isc.sans.org
For complete details see, the Bugtraq posting, the Secunia advisory, and what I believe is Alex's paper.
We'll bring you more info as it becomes available.
Update: Symantec is apparently distributing a new pattern/definition that may detect the malformed RAR files while they continue to work on fixing the underlying vulnerability.
----------------------
Jim Clausing, jclausing at isc.sans.org
Keywords:
0 comment(s)
My next class:
LINUX Incident Response and Threat Hunting | Online | US Eastern | Jan 29th - Feb 3rd 2025 |
×
Diary Archives
Comments