"Highly critical" Flaw in discovered in Symantec AntiVirus

Secure OS X reports on a "highly critical" flaw that has been discovered in Symantec's AntiVirus software for Mac OS X.

The vulnerability occurs when AntiVirus is decompressing files compressed in the RAR format for scanning. When AntiVirus is performing this operation, it is susceptible to to multiple heap overflows allowing attackers complete control of the system(s) being protected.

Secure OS X reports:

"These vulnerabilities can be exploited remotely without user interaction in default configurations through common protocols such as SMTP.

"Successful exploitation of Symantec protected systems allows attackers unauthorized control of data and related privileges. It also provides leverage for further network compromise. Symantec implementations are likely vulnerable in their default configuration. In default configurations users are likely vulnerable regardless of whether they choose to open or read the email."

The only solution at this point is to filter RAR archives at email or proxy gateways, or disable and uninstall Norton AntiVirus.

Symantec last issued a security patch in late October. That patch resolved an issue where a non-privileged user could change the execution path environment, then execute the DiskMountNotify component and inherit the changed environment and use it to locate system commands.

This flaw is the latest in a bevy of other issues caused by the AutoProtect component of Symantec's Norton AntiVirus under Mac OS X 10.4.x including apparent corruption of Mac OS X temp files that can result in spiking processor usage and complete system unresponsiveness.

Until further notice, we recommend that users uninstall AntiVirus via these instructions.

Feedback? Late-breakers@macfixit.com.

Resources