IBM and Symantec patch critical holes in their products
Several of Symantec's mail security and data loss prevention products contain a vulnerability that can be exploited to compromise a system when parsing files. The problem is caused by an integer or heap overflow in the KeyView SDK software library by vendor Autonomy. Symantec products use this library for processing certain document formats. The actual vulnerability is contained in a function for processing Excel-97 files in the xlssr.dll file and allows attackers to inject and execute arbitrary code. It appears that an attacker only needs to attach a specially crafted Excel table to an email and send it to a system for processing to be successful.
Among the affected programs are Symantec Mail Security for Domino 8.0, Symantec Mail Security for Microsoft Exchange 6.x, Symantec BrightMail Appliance 8.0.1 and Symantec Data Loss Prevention Enforce/Detection Servers for Windows 9.0.1. A complete list can be found in Symantec's original advisory. The vendor has released hot fixes to close the hole.
In addition to the Symantec products, the vulnerability also affects IBM's Lotus Notes, which also use the KeyView SDK. IBM has released a separate advisory which states that Lotus Notes 7.x, 8.x and 8.5.x are vulnerable. The Lotus Notes servers are not affected. On the clients, however, users have to manually open an attachment with the Viewer to fall victim to the attack. IBM has released patches for 8.5.x, 8.0x and 7.x. For the series 6.x and 5.x versions, the vendor recommends that users disable the Viewer. Instructions how to do this can be found in IBM's advisory.
Holes in the KeyView SDK already prompted Symantec and IBM to release security updates in April 2008 and in October 2007.
See also:
- Symantec Products Autonomy KeyView Module Vulnerability, security advisory from Symantec.
- Potential security issue with Lotus Notes file viewer for Microsoft Excel, security advisory from IBM.
- Autonomy KeyView Excel File SST Parsing Integer Overflow Vulnerability, security advisory from iDefense.
- Holes in Symantec Mail Security products, a report from The H.
(crve)