Symantec has issued a patch for a flaw in its scanning software that could cause a virus to execute, rather than catch it.
The vulnerability affects an antivirus library used by the majority of Symantec's antivirus and antispam products, including Norton SystemWorks 2004 and Symantec Mail Security for Exchange, the security provider said on Tuesday.
The software is aimed at a range of systems, from consumer desktops to large corporate mail servers, meaning the flaw could be used to take control of key corporate systems or to install programs to grab people's identity data.
"The impact of this vulnerability is exaggerated by the fact that many e-mail and other traffic routing gateways make use of file-scanning utilities that make use of the vulnerable library," Symantec said in an advisory. "This could allow an attacker to potentially exploit high-profile systems used to filter malicious data, and potentially allow further compromise of targeted internal networks."
Computers are at risk if they run an unpatched version of a Symantec product that scans files to detect malicious code and if they use the Microsoft Windows, Mac OS X, Linux, Solaris and AIX operating systems, Symantec said.
But the flaw does not affect the latest versions of some of the products, such as Norton Antivirus 2005, the company said.
"Symantec strongly recommends that customers ensure their products are up-to-date to protect against this vulnerability,"the company said in a statement. "To date, Symantec has not had any reports of related exploits of this vulnerability."
Security information company Secunia, which rates the seriousness of software vulnerabilities, gave the Symantec flaw its second-highest threat grade, "highly critical."
The problem exists in how the scanning code handles a compression format known as the Ultimate Packer for Executables (UPX). An attacker could create a virus designed to exploit the UPX flaw and send it to victims through e-mail or host it on a Web site. An unpatched Symantec scanner checking incoming e-mail or the Web pages that users browse would run the program instead of catching the virus.
"The vulnerability can be triggered by an unauthorized remote attacker, without user interaction, by sending an e-mail containing a crafted UPX file to the target," Internet Security Systems, the company that found the flaw, stated in an advisory on Tuesday. The company said it notified Symantec of the issue when it found it.
The flaw highlights the danger of weaknesses in the security software that acts as a gateway between the unfiltered Internet and internal corporate networks. Internet Security Systems experienced such problems firsthand a year ago, when a flaw in its own firewall software was targeted by a worm two days after the public release of an advisory.
Symantec is distributing patches to its customers through its LiveUpdate automatic update service and other mechanisms. It warned companies that do not use those services to download the patches from its Web site and apply them as soon as possible.
Internet Security Systems could not immediately provide a spokesperson to comment on the issue.
MIT creates a simulation to celebrate the 50th anniversary of Spacewar. A relic of the early days of minicomputers, it was one of the first computer video games and set the stage for many others, including Asteroids.
With Windows 8 now on a clearer path to release, expect the big device makers to try to crash the raucous Apple party with Microsoft leading the way. And who knows? Microsoft may even steer buyers away from a next-generation 9-inch Kindle Fire.
AstrologyDating.com is a new site that tries to find you your perfect love on the basis of birth date, birth time, and birthplace. But will it tell you the truth? Well, it asks you to pay only per match. So I tried it.
The Web fulminates when it is revealed that executives from VEVO--vehement music industry antipirates--played a pirated stream of an NFL playoff game at a party. VEVO claims it left its Wi-Fi unsupervised. Have we heard that argument before?
Tor's "obfsproxy" technology would make encrypted data look innocuous and let it dodge government censors. That could help citizens in Iran reach blocked sites as antigovernment protests reportedly loom.
iPhones and Angry Birds aside, the arcade endures. Crave pays a visit--and offers up an homage to games and gamers of years past and a tribute to the possibly endangered, but not yet dead, atmosphere of the arcade itself.
Just thought I would get the jump on the inevitable OS Holy War.