Symantec Corp. and McAfee Inc., two of the leading vendors in the security software market, have addressed vulnerabilities attackers could exploit in their products to cause a denial of service or run malicious code.
Symantec Altiris Deployment Solution -- software for deploying and managing servers, desktops, notebooks, thin clients, and handheld devices from a centralized location in Windows environments -- is prone to a local privilege-escalation vulnerability.
The Cupertino, Calif.-based company said in an emailed message to customers of its DeepSight threat management service that the Aclient process fails to properly drop privileges before executing external files. Symantec said that "an attacker can use the browser function to view or execute arbitrary files with 'system' privileges." Successful exploits will completely compromise affected computers.
Symantec has fixed the problem, and has included download instructions on the Symantec Security Response Web site.
Danish vulnerability clearinghouse Secunia, meanwhile, has discovered a vulnerability in McAfee E-Business Server attackers could exploit to cause a heap-based buffer overflow via a specially crafted authentication packet with an overly large length value.
"The vulnerability is caused due to an integer overflow within the e-Business administration utility service when parsing authentication packets," the firm said in Secunia advisory SA26372. "Successful exploitation allows execution of arbitrary code."
To fix the problem, Secunia recommends users update to E-Business Server 8.5.3 for Solaris or E-Business Server 8.1.2 for Linux/HP-UX/AIX.
The Windows version is not affected, Secunia said.