Symantec Antivirus Flaw Leaves Systems Open to Exploits
An independent security researcher has found a critical vulnerability in Symantec's antivirus software. The flaw, revealed Tuesday by Alex Wheeler, could provide a way in for malware -- the malicious code the antivirus software has been designed to detect and prevent.
The vulnerability affects a vast array of Symantec corporate antivirus software as well as consumer products, including Norton Antivirus, Norton Internet Security Professional, Norton System Works, Norton Personal Firewall, as well as recent versions in Symantec's line of antivirus software for Macintosh and handhelds.
According to Wheeler, formerly of Internet Security Systems, the problem lies in the manner in which Symantec's antivirus library handles compressed files in the RAR format. RAR is the open-source equivalent to the ZIP format.
In a written statement, Symantec said it "takes the security and proper functionality of its products very seriously" and that its "product teams are creating the necessary product updates to further protect against any possible threat."
Fatal Exception
Wheeler's findings showed that a specially engineered RAR file containing a virus or other malicious program could infiltrate a user's computer. Once that happens, attackers have carte-blanche access to the system and can take complete control over computers on which their programs have been downloaded.
"The flaw is potentially serious because it allows an attacker to gain remote control of a system," said Andrew Jaquith, a Yankee Group analyst. "However, it requires getting the malicious payload on to the target system first. The most likely way would be e-mail."
Symantec is not the first antivirus software firm to get caught with its pants down. Companies such as Trend Micro, F-Secure, and McAfee all have had to deal with the discovery of serious vulnerabilities in their software. The problem for Symantec is that, as an industry leader, there are a significant number of vendors as well as consumers whose products and services could be affected.
According to Jaquith, the discovery of the RAR vulnerability indicates that security researchers believe that security products represent a new frontier for hacking. Where vulnerabilities are discovered, said Jaquith, attacks soon follow.
The Layered Approach
However, the threat is probably not as widespread as it might seem, said Rob Ayoub, an analyst at Frost & Sullivan, because RAR files are not as prevalent as other compressed files, such as ZIP files. In addition, WinZIP, the most popular compression software used for opening RAR files, does not open RAR files automatically.
"It is a very dangerous exploit and it is important," said Ayoub. "But is everyone's system about to be left wide open? Probably not."
If the flaw had been discovered in WinZIP or in ZIP files, it would have been a lot more dangerous, said Ayoub. "While it is dangerous, the potential for opening the files is a lot more limited than we see in a lot of other virus attacks."
Ayoub agreed that the most common form of attack to exploit this vulnerability most likely would be through spam. While this exploit is a bit different than more commonly seen bugs because it attacks the scanning engine in security software and does not require user intervention, Ayuob said this discovery simply highlights the need for consumers to adopt a multitiered approach to protecting their computers.
"It points to the fact that we should all opt for the layered approach," Ayoub recommended. "If a virus comes out for this, the most common way it will spread is through spam. So it goes back to [the idea that] you need a spam filter in addition to an antivirus application."
The Real Story
Both Ayoub and Jaquith expressed concern, however, over the manner in which Wheeler disclosed the vulnerability. Many industry experts believe that researchers who make these exploit discoveries and then fail to notify software developers before going public with the information do more harm than good.
"The real story is how the researcher chose to reveal the vulnerability," Jaquith said. "He sprang it on Symantec without giving them a chance to correct the issue and release a patch to the public. By releasing vulnerability details that could be useful to attackers seeking to construct automated exploits, he has needlessly placed the public at risk. This should be seen as a publicity stunt by Wheeler. He has acted badly."
The final verdict for Symantec and its position in the security industry will depend on how well the company responds to the problem. The timing for Symantec could not have been worse for a discovery of this nature, Ayoub explained, because Microsoft recently released the beta version of its own, competing antivirus product.
One factor working in Symantec's favor, though, is that any needed updates will be distributed quickly through the company's LiveUpdate program. "The one advantage they have is that, once the patch is available, it will be easy to update," Ayoub pointed out. "It's not so much that [the flaw] will work against [Symantec] at this moment, but it depends on how they handle it."
Consumers need to understand that all products have bugs, even antivirus software, Ayoub added.
From TopTech News