A Symantec security flaw discovered by an independent security consultant is unlikely to be exploited despite its rating as a high risk by Symantec itself and a very high risk by security firm Secunia, said Forrester Research senior analyst Michael Gavin.
The vulnerability, which could allow a hacker to take control of a machine during decompression of RAR files — a file format commonly used for storage of large video or audio files — is very similar to another one discovered by security consultant Alex Wheeler in February.
Exploit Not Easy
“That vulnerability is known as CVE-2005-0249, which as far as I know has not been exploited. To exploit this vulnerability, an attacker would need to create a special RAR file that exploits the vulnerability, and get that file onto machines running the vulnerable software,” Gavin told TechNewsWorld.
“While this is not trivial, there are people that have the skills to create such a RAR file relatively quickly; there are some that could do it in less than a week, possibly even within a day. Still, I suspect that it is relatively unlikely to be exploited within the next month or so.”
The bug is present in most of Symantec’s security software, including Windows and Mac versions of Symantec AntiVirus, Symantec Norton AntiVirus and Symantec Norton Internet Security, for both home users and enterprises.
Symantec has issued an update to its virus definitions that will detect potential exploits of the bug, which lies within the Symantec AntiVirus Library.
“Symantec takes the security and proper functionality of its products very seriously, and product teams are creating the necessary product updates to further protect against any possible threat,” a Symantec spokesperson said yesterday. “Information about specific product updates and mitigation will be posted to Symantec Security Response Web site later today.”
Turn Off RAR Scanning
There is no patch for the vulnerability. In the meantime, Symantec recommends shutting off the automatic scanning of RAR archive files, a move Gavin said was very important.
“Part of the significance of this vulnerability announcement is that your machine can be exploited without you needing to do anything at all. You don’t even have to open an e-mail or attachment, and this happens with the default configuration of the product,” he explained, “and … if the e-mail server is running the vulnerable software, then it is compromised just by receiving the e-mail.”
While the flaw can be dangerous, Gavin does not believe the bug is a reason to switch from Symantec products.
“This particular flaw is not good justification for switching AV vendors; AV products are complex, and complex products contain bugs, and sometimes those bugs are exploitable vulnerabilities,” he said. “While other AV products may not have this particular vulnerability; they are quite likely to have vulnerabilities of their own.”