Older Symantec AVs open to remote code execution

By on
Older Symantec AVs open to remote code execution

No update planned for affected scan engine.

Vulnerabilities have been discovered in older versions of Symantec anti-virus which can grant privileged remote code execution to unauthenticated attackers.

The holes (CVE-2012-4953) existed in the handling of malformed CAB files by the anti-virus products which resulted in memory corruption.

Will Dormann, vulnerability analyst at the Computer Emergency Response Team Coordination Center (CERT/CC), discovered the flaw.

“Successful exploitation may result in arbitrary code execution as the result of a file being scanned,” Dormann said.

“We have confirmed that Symantec Endpoint Protection 11, which uses dec_abi.dll, and Symantec Scan Engine 5.2, which uses Dec2CAB.dll, are affected.”

Users could protect themselves by updating to Symantec Endpoint Protection 12.

Symantec told CERT Symantec Endpoint Protection 11 used an old scan engine and would not be updated.

The latest version of Symantec Protection Engine for Cloud Services did not appear affected by the vulnerability.

CERT recommended users deploy Microsoft’s Enhanced Mitigation Experience Toolkit and to enable Data Execution Prevention to reduce the risk of exploitation. 

Got a news tip for our journalists? Share it with us anonymously here.

Copyright © SC Magazine, Australia


Most Read Articles

Log In

  |  Forgot your password?