Symantec Confirms AV Library Flaw, Promises Patch

the_flyswatter writes "Anti-virus vendor Symantec Corp. has publicly acknowledged that a high-risk buffer overflow vulnerability in its AntiVirus Library could lead to code execution attacks when RAR archive files are scanned. The company confirmed the issue was a buffer overflow in the AntiVirus component used to decompose RAR (Roshal Archive) files. 'A specially crafted RAR file could potentially cause this buffer overflow to occur and execute hostile content from the RAR file,' the advisory read. The bug also affects 15 consumer products, including the widely deployed Symantec Norton AntiVirus, Symantec Norton Internet Security Professional, Norton Personal Firewall and Symantec Norton Internet Security for Macintosh."

Re:Why confess?

[wasudeo]

FTA,

Symantec didn't confess of their own accord. This vulnerability was publicised by a "security researcher" called Alex Wheeler.

Re:You know what this means -

[ozmanjusri]

ps. why is there no (or where is it ?) opensource antivirus software for windows ?

http://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8 &q=opensource%20antivirus%20software%20for%20windo ws

Re:You know what this means -

[S3D]

Clam is not exactly for windows. Last time I've checked Win Clam was far behind Linux version. Free AVG seems a lot better for Windows, but not open sourced

Why AV Is Innefective from Malware POV

[TheUncleD]

Coding or I should say, 'Encoding has come a long ways.' - Crackers and bot programmers have become increasingly smarter, realizing how programs such as Norton scan through software programs that are "bots" are in order to detect ones which they consider viruses. To understand how the latest virus writers are avoiding detection, you must understand the concepts of randomization, encoding, compiling and packing.

A normal software program compiled has strings in it which can be matched when scanned through. It examines what are known as string literals. There are even some programs for certain compilers that exist to recreate source code from compiled programs but that is a tangent. What we're dealing with here are encoded strings. If Norton knows how to match a program exactly based on certain strings it can match in the software, it can detect it in all cases, bot discovered, no more botpack.
Here's what the smart botpack coders are attempting to do and in many cases doing effectively: They understand that Norton can scan their compiled bot, once it knows the strings to look for inside of it, and release in its Liveupdate a way for all people infected to remove it. Given this, they must either constantly compete with Nortons LiveUpdate's or find another method. If they are savvy enough or greedy enough, they'll find a way to have coded a packer which encodes uniquely every time it packs. For more information on packing in relationship to viruses, its in the field of Anti-Virus Heuristics. A very well known packer is UPX which you can search for and find more about. Many modifications of this packer exist. Essentially a bot"packer" is packing their bots uniquely, obscuring the strings from norton with every pack, meaning every bot appears unique and cannot be identified from any other bot. Of course, bots would probably have unique names or be titled something normally running on a machine such as svchost.exe as a process. This is the common trick and until AntiVirus makers can either employ programmers who can outsmart the encoding schemes these packers are using or users smarten up, its a tough situation for all who download anything from an untrusted source (someone besides your grandmother - and even then!).