A serious flaw in a comment element to Symantec"s products has emerged this week; the company reported that the flaw was "high" risk. Symantec, maker of protection software, said the flaw was in the antivirus library used in some of its products. Secunia elaborated on this further, saying that "the vulnerability is caused due to a boundary error in the DEC2EXE parsing engine used by the antivirus scanning functionality when processing UPX compressed files. This can be exploited to cause a heap-based buffer overflow via a specially crafted UPX file".
In an advisory issued earlier this week, Symantec said that "The impact of this vulnerability is exaggerated by the fact that many e-mail and other traffic routing gateways make use of file-scanning utilities that make use of the vulnerable library. This could allow an attacker to potentially exploit high-profile systems used to filter malicious data, and potentially allow further compromise of targeted internal networks".
The flaw affects as many as 30 Symantec products, almost all of the company"s software. The company said that users of the most recent versions of its software, like Norton Antivirus 2005, were un-affected. The company added that "The DEC2EXE engine is no longer required to parse compressed files" and that "Symantec had planned the DEC2EXE engine removal from all affected Symantec product versions during upcoming maintenance update." However, it advised all users to ensure they were fully patched (see link below). The company is also distributing patches to users via its automated Live Update feature.