News Stay informed about the latest enterprise technology news and product updates.

Vulnerabilities afflict multiple antivirus products

Serious security holes have been discovered in popular antivirus products, including those from Symantec and McAfee.

Serious vulnerabilities in several antivirus products could result in denial-of-service conditions, local privilege escalation and other negative consequences. Fixes are available for some of the problems.

One vulnerability affects popular antivirus products such as Kaspersky AntiVirus for Linux, Trend Micro InterScan VirusWall 3.8 Build 1130, and McAfee Virus Scan for Linux 4.16.0. Other versions may also be affected.

A team of researchers from Aerasec Network Services and Security GmbH, based in Hohenbrunn, Germany, discovered that these products have trouble with so-called bzip2 bombs.

When scanning compressed files for virus signatures, antivirus products usually decompress the file first. However, the products with the flaw often don't limit the size of the resulting decompressed file, and extremely large files (billions of zeroes, for instance) can overwhelm the products. Decompressing a large file can take up all available file space on a machine, maxing out CPU usage and causing denial-of-service conditions on the machine.

A different vulnerability in Symantec Corp.'s LiveUpdate can be fixed with the latest patches. A variety of Symantec products are vulnerable to the escalation of privileges to SYSTEM by a local user.

Symantec LiveUpdate is a feature of many consumer and retail Symantec products. It keeps track of new updates that are available for the user to download and install. This is especially necessary for products such as Symantec's Norton AntiVirus, which require the most up-to-date virus definitions to operate effectively.

Kevin Finisterre, the Strategic Reconnnaissance Team (SRT) lead for Boxboro, Mass.-based Secure Network Operations, Inc. (SECNETOPS), discovered that LiveUpdate can allow a local user to gain SYSTEM privileges. The problem occurs on machines running NT-based Windows, and XP, 2000 and 2003.

If Automatic LiveUpdate is enabled, a pop-up window sometimes appears, notifying the user that updates are available. If the user clicks to run LiveUpdate, the LiveUpdate executables then run as SYSTEM. Selecting the Help button permits the user to open various files, the intention being that only help files will be opened. However, a knowledgeable user could bypass this with a particular command. Doing so results in a DOS command prompt running as SYSTEM. The user can then execute arbitrary commands.

Versions 1.70.x through 1.90.x of LiveUpdate are a feature of several products, including Norton AntiVirus and AntiVirus Pro (2001-2004), Norton Internet Security and Internet Security Pro (2001-2004), Norton SystemWorks (2001-2004) and Symantec AntiVirus for Handhelds version 3.0. The problem doesn't occur in Symantec Enterprise products, because they don't support Automatic LiveUpdate.

Symantec has fixed this problem, and users should run LiveUpdate and apply the latest patches.


Click here for the bzip2bomb advisory

Download Symantec LiveUpdate fix here.

Click here for the Symantec LiveUpdate advisory

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.