Format string vulnerability in Symantec's AntiVirus Corporate Edition
Symantec has publicised security holes in its AntiVirus Corporate Edition 10.0, 9.x and 8.1 products, as well as Symantec Client Security 3.0, 2.x and 1.x. Locally registered users with restricted privileges could exploit a format string vulnerability in the virus alert notification to launch programs with system rights. In principle, malicious code already planted in this way could also achieve system rights and bypass the virus protection.
An additional format string vulnerability involving the processing of alert notifications can cause the scanner's real-time protection functionality to crash. Symantec has released an update that is already been distributed via LiveUpdate.
- Symantec AntiVirus Corporate Edition Elevation of Privilege, Flaw report from Symantec