Date: Thu Dec 22 2005 - 10:49:28 PST
Symantec's posted a page about the problem at:
http://securityresponse.symantec.com/avcenter/security/Content/2005.12.21b.html
Ian
At 8:56 AM -0800 12/22/05, Michael Rimar wrote:
>Hi
>
>Someone forwarded me this article and I'm trying to assess its
>importance in my environment. I was not aware of the RAR format and
>haven't encountered a need to decompress such a file.
>
>We have 6 basic level users on various version of OS 10.X. What's
>your impression? Feedback appreciated...
>
>Michael
>
>>>
>>><http://www.macfixit.com/index.php>
>>><http://www.techtracker.com>TechTracker Network |
>>><http://www.versiontracker.com>VersionTracker |
>>><http://www.techtracker.com/developer>Developers|
>>>
>>>
>>><http://www.macfixit.com/staticpages/index.php?page=20021011161622212>
>>>Email Us |
>>><http://www.macfixit.com/staticpages/index.php?page=20021011160220586>
>>>About MFI <http://www.macfixit.com/search.php>Advanced
>>>Search<http://www.macfixit.com/search.php> ]
>>>
>>>
>>> \"Highly critical\" Flaw in discovered in
>>>Symantec AntiVirus
>>>Wednesday, December 21 2005 @ 09:30 AM PST
>>>Secure OS X <http://www.secureosx.com/symantec/antivirus>reports
>>>on a "highly critical" flaw that has been discovered in Symantec's
>>>AntiVirus software for Mac OS X.
>>>The vulnerability occurs when AntiVirus is decompressing files
>>>compressed in the RAR format for scanning. When AntiVirus is
>>>performing this operation, it is susceptible to to multiple heap
>>>overflows allowing attackers complete control of the system(s)
>>>being protected.
>>>Secure OS X reports:
>>>"These vulnerabilities can be exploited remotely without user
>>>interaction in default configurations through common protocols
>>>such as SMTP.
>>>"Successful exploitation of Symantec protected systems allows
>>>attackers unauthorized control of data and related privileges. It
>>>also provides leverage for further network compromise. Symantec
>>>implementations are likely vulnerable in their default
>>>configuration. In default configurations users are likely
>>>vulnerable regardless of whether ! they choose to open or read the
>>>email."
>>>The only solution at this point is to filter RAR archives at email
>>>or proxy gateways, or disable and uninstall Norton AntiVirus.
>>>Symantec last issued a
>>><http://www.macfixit.com/article.php?story=20051021091707669>
>>>security patch in late October. That patch resolved an issue where
>>>a non-privileged user could change the execution path environment,
>>>then execute the DiskMountNotify component and inherit the changed
>>>environment and use it to locate system commands.
>>>This flaw is the latest in a bevy of
>>><http://www.macfixit.com/article.php?story=20051006072329919>
>>>other issues caused by the AutoProtect component of Symantec's
>>>Norton AntiVirus under Mac OS X 10.4.x including apparent
>>>corruption of Mac OS X temp files that can result in spiking
>>>processor usage and complete system unresponsiveness.
>>>Until further notice, we recommend that users uninstall AntiVirus
>>>via these
>>><http://service1.symantec.com/SUPPORT/num.nsf/docid/2005051716291611?Open&src=&docid=2003051315420211&nsf=num.nsf&view=docid&dtype=%E2%88%8F=&ver=&osv=&osv_lvl=>instructions.
>>>Feedback? <mailto:Late-breakers@macfixit.com>Late-breakers@macfixit.com .
>>>
>>>Comment on this story at
>>> http://www.macfixit.com/article.php?story=20051221093111211#comments
>>>
>>------------------------------
>>Michael Rimar
>>Administrative Assistant
>>UC Botanical Garden
>>200 Centennial Drive #5045
>>Berkeley, CA 94720-5045
>>510-642-0849
>>fax 510-642-3012
>> http://botanicalgarden.berkeley.edu
-- _______________________________________________________________ Ian Crew Workstation Support Services Information Systems and Technology University of California, Berkeley icrew@berkeley.edu Voice: 510-642-7795 Fax: 510-643-5385
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about MAGNet, its meetings and events, and its
mailing list, including information on subscribing and unsubscribing,
see the MAGNet Web site at <http://magnet.berkeley.edu/>.
