Revision History
12/22/05 - Updated product matrix, Additional mitigations
12/28/05 - Additional product updates, Refined mitigation
12/30/05 - Additional product updates
01/03/06 - Additional product updates
01/05/06 - Additional product updates
01/12/06 - Additional product updates
01/18/06 - Additional product updates
01/24/06 - Additional product updates
01/27/06 - Additional product updates
Risk Impact
High
| Remote Access | Yes |
| Local Access | No |
| Authentication Required | No |
| Exploit publicly available | No |
Overview
Symantec is aware of a buffer overflow in its AntiVirus component used to decompose RAR (Roshal Archive). A specially crafted RAR file could potentially cause this buffer overflow to occur and possibly execute hostile content from the RAR file on the targeted system.
Vulnerable Products
- As Symantec continues to investigate this issue, the list of affected products may be updated.
- Product updates will be available from the Symantec support site: http://www.symantec.com/techsupp/ or via LiveUpdate when available.
- Only currently supported Symantec Products will be updated. Customers using unsupported versions are encouraged to upgrade to a supported version.
- Some product updates are available via Symantec LiveUpdate. Users will need to perform a manual LiveUpdate to receive and install these product updates.
To perform a manual update using Symantec LiveUpdate, users should:
- Open any installed Symantec product
- Click on LiveUpdate in the toolbar
- Run LiveUpdate until all available Symantec product updates are downloaded and installed
- Product updates will initially be available for the English language versions. Localized versions of the update will be available as soon as fully tested. Please check for localized updates at your normal product support location.
To date, Symantec has not had any reports of attempts to exploit or customers impacted by this vulnerability.
Affected Enterprise Products
|
Products
|
Versions
|
Builds
|
Update To
|
|
Norton AntiVirus for Microsoft Exchange
|
2.18 and earlier
|
All
|
SMSMSE 4.6.4.110
|
|
Symantec AntiVirus/Filtering for Microsoft Exchange
|
4.0.10.465 and
earlier
|
All
|
SMSMSE 4.6.4.110
|
|
Symantec Mail Security
|
8200
|
All
|
4.1.2-17
|
|
Symantec Mail Security for Microsoft Exchange
|
4.5.4 and earlier
|
All
|
4.6.4.110
|
|
4.6.3 and earlier
|
All
|
4.6.4.110
|
|
5.0.0.204
|
All
|
5.0.1.208
|
|
Symantec Mail Security for Domino NT
|
4.0.3 and earlier
|
All
|
4.1.5.30
|
|
4.1.4 and earlier
|
All
|
4.1.5.30
|
|
5.0.0.47
|
All
|
5.0.1.49
|
|
Symantec AntiVirus/Filtering for Domino MPE(AIX, Linux,
Solaris)
|
3.0.11 and earlier
|
All
|
3.0.12.25
|
|
Symantec Scan Engine
|
5.0.1 and earlier
|
All
|
5.0.2.32
|
|
Symantec AntiVirus Scan Engine
|
4.1.8 and earlier
|
All
|
4.1.9.30
|
|
4.3.12 and earlier
|
All
|
4.3.13.36
|
|
Symantec AntiVirus Scan Engine for MS ISA
|
4.3.12 and earlier
|
All
|
4.3.13.36
|
|
Symantec AntiVirus Scan Engine for MS Sharepoint
|
4.3.12 and earlier
|
All
|
4.3.13.36
|
|
Symantec AntiVirus Scan Engine for Messaging
|
4.3.12 and earlier
|
All
|
4.3.13.36
|
|
Symantec AntiVirus for Network Attached Storage
|
4.3.12 and earlier
|
All
|
4.3.13.36
|
|
Symantec AntiVirus Scan Engine for Clearswift
|
4.3.12 and earlier
|
All
|
4.3.13.36
|
|
Symantec AntiVirus Scan Engine for Caching
|
4.3.12 and earlier
|
All
|
4.3.13.36
|
|
Symantec AntiVirus for SMTP
|
3.1.7 and earlier
|
All
|
SMSSMTP 4.1.11.41
|
|
Symantec Mail Security for SMTP
|
4.1.9 and earlier
|
All
|
4.1.11.41
|
|
Symantec Client
Security
|
3.X
|
All
|
3.0.2.2001
(MR2 PP1)
3.0.2 MP1
|
|
Symantec Web Security
|
3.0.1 and earlier
|
All
|
3.0.1.76
|
|
Symantec Gateway Security 5000 Series
|
3.0
|
All
|
SGS3.0-20051222-00
|
|
Symantec Gateway Security 5400 Series
|
2.0
|
All
|
SGS2.0.1-20051222-00
|
|
Symantec Gateway Security
|
1.0
|
All
|
SG7004-20051222-00
|
|
Symantec Brightmail AntiSpam
|
6.0
|
All
|
6.0.3 (patch 164)
|
|
5.5
|
All
|
Upgrade to 6.0.3 (patch 164)
|
|
4.0
|
All
|
4.0.9
|
|
Symantec AntiVirus Corporate Edition
|
10.X
|
All
|
10.0.2.2001
(MR2 PP1)
10.0.2 MP1
|
|
Symantec AntiVirus for Macintosh
|
10.X
|
All
|
Macintosh virus
definitions dated January 4, 2006 or later
|
Affected Consumer Products
|
Products
|
Versions
|
Builds
|
Update to
|
|
Norton AntiVirus
|
2006
|
All
|
Common Client 2005-1.0.4 (via Live Update)
|
|
2005
|
All
|
Common Client 3.0.6 (via Live Update)
|
|
2004
|
All
|
Common Client 2.1.9 (via Live Update)
|
|
Norton Internet Security Professional
|
2006
|
All
|
Common Client 2005-1.0.4 (via Live Update)
|
|
2005 AntiSpyware Edition
|
All
|
Common Client 3.5.7 (via Live Update)
|
|
2005
|
All
|
Common Client 3.0.6 (via Live Update)
|
|
2004
|
All
|
Common Client 2.1.9 (via LiveUpdate)
|
|
Norton SystemWorks
|
2006
|
All
|
Common Client 2005-1.0.4 (via LiveUpdate)
|
|
2005
|
All
|
Common Client 3.0.6 (via LiveUpdate)
|
|
2004
|
All
|
Common Client 2.1.9 (via LiveUpdate)
|
|
Norton Personal Firewall
|
2006
|
All
|
Common Client 2005-1.0.4 (via LiveUpdate)
|
|
2005
|
All
|
Common Client 3.0.6 (via LiveUpdate)
|
|
2004
|
All
|
Common Client 2.1.9 (via LiveUpdate)
|
|
Norton AntiVirus for Macintosh
|
10.X
|
All
|
Macintosh virus definitions dated January 4, 2006 or later
|
|
Norton AntiVirus for Macintosh
|
9.X
|
All
|
Macintosh virus definitions dated January 4, 2006 or later
|
|
Norton Internet Security for Macintosh
|
3.X
|
All
|
Macintosh virus definitions dated January 4, 2006 or later
|
|
Norton SystemWorks for Macintosh
|
3.X
|
All
|
Macintosh virus definitions dated January 4, 2006 or later
|
Products Not Affected
|
Products
|
Versions
|
Builds
|
|
Symantec Antivirus Corporate Edition
|
9.X - all versions
|
All
|
|
8.X - all versions
|
All
|
|
Symantec Client Security
|
2.X
|
All
|
|
1.X
|
All
|
|
Symantec Enterprise Firewall
|
8.0
|
All
|
|
Symantec Clientless VPN Gateway 4400 Series
|
5.0
|
All
|
|
Symantec Firewall / VPN Appliance
|
100/200
|
All
|
|
Symantec Gateway Security 300/400 Series
|
2.0
|
All
|
|
Norton AntiVirus for Macintosh
|
7.X
|
All
|
|
Norton AntiVirus for Macintosh
|
8.X
|
All
|
|
Norton Internet Security for Macintosh
|
2.X
|
All
|
|
Symantec AntiVirus for HandHelds - Corporate Edition
|
All
|
All
|
|
Symantec AntiVirus for Handhelds
|
All
|
All
|
|
Symantec Client Security for Nokia
|
|
All
|
Symantec Response
Symantec is currently building, testing and distributing product updates for all supported affected products.
Mitigations
Symantec Security Response posted an antivirus based protection signature to LiveUpdate on December 20, 2005, providing a heuristic detection for potential exploits of the Symantec decomposer RAR archive vulnerability. This signature is available though LiveUpdate, to all desktop, server and gateway product versions of Symantec's Security products and appliance solutions that contain the decomposer RAR archive. Symantec strongly recommends that customers immediately ensure their products are up-to-date to protect against possible threats.
Customers may also mitigate the risk to the antivirus component by disabling scanning of RAR compressed files until the vulnerable code is fixed. However, it is important to note that disabling RAR scanning may allow RAR files containing viruses through the security gateway.
Instructions to disable scanning of RAR compressed files for Symantec gateway products can be found at:
http://service1.symantec.com/SUPPORT/ent-gate.nsf/docid/2005122213230354
To Disable scanning of RAR files in Auto-Protect for Norton AntiVirus 9 and Norton AntiVirus 10:
- Open the System Preferences
- Select the Norton Auto-Protect preference pane
- Set 'Scan Compressed Files' to 'Off'
- Close the System Preferences
This will disable the use of the Decomposer Engine when Auto-Protect is scanning files.
CVE
The Common Vulnerabilities and Exposures (CVE) initiative has assigned CVE-2005-4438 to this issue.
Credit
Symantec thanks Alex Wheeler for providing coordination and working with Symantec to resolve this issue.
Symantec takes the security and proper functionality of our products very seriously. As founding members of the Organization for Internet Safety (OISafety), Symantec supports and follows the principles of responsible disclosure. Symantec also subscribes to the vulnerability disclosure guidelines outlined by the National Infrastructure Advisory Council (NIAC).
Please contact secure@symantec.com if you feel you have discovered a security issue in a Symantec product. A Symantec Product Security team member will contact you regarding your submission. Symantec strongly recommends using encrypted email for reporting vulnerability information to secure@symantec.com. The Symantec Product Security PGP key can be found at the end of this message.
Symantec has developed a Product Vulnerability Response document outlining the process we follow in addressing suspected vulnerabilities in our products. This document is available below.
Copyright (c) 2009 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from secure@symantec.com.
Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Symantec, Symantec products, Symantec Security Response, and secure@symantec.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.
Initial Post on: Wednesday, 21-Dec-05 22:00:00
Last modified on: Friday, 27-Jan-06 20:56:35
Symantec Vulnerability Response Policy
Symantec Product Vulnerability Management PGP Key