Vulnerabilities in antivirus products
Both Symantec and Sophos have released updates for their antivirus products to remedy security vulnerabilities. In Symantec's business and consumer antivirus products, local users are able to cause the computer to crash. Injected script code can be executed in Sophos' security products. Attackers may also bypass detection with prepared archives.
Symantec's security products install the device driver SYMTDI.SYS. The driver does not check some of the values in interrupt request packets (IRPs) correctly, allowing manipulated queries to overwrite areas of the memory. As a result, the computer may crash. In Sophos' products, attackers can exploit a cross-site scripting hole in the log function. The script code may land in the log file and be executed when viewed or printed when specially crafted archives containing a contaminant that has a carefully prepared file name are analyzed. The scan engine has a flaw that prevents CAB, LZH, and RAR archives with manipulated headers from being inspected correctly.
Both vendors have released current versions of the software to close these security holes. Sophos has remedied the flaws in versions 6.5.8 and 7.0.1 of its antivirus solution and version 2.49.0 of the scan engine and is distributing the patches via automatic update. Symantec is distributing updates via its LiveUpdate function for the following affected products: Antivirus Corporate Edition 9.x up to and including 10.1.x, Client Security 2.x to 3.1.x, versions 2005 and 2006 of Norton System Works, Personal Firewall, Internet Security and Antivirus, and Norton AntiSpam 2005.
- Symantec SYMTDI.SYS Device Driver Local Denial of Service, Symantec's security advisory
- Sophos Anti-Virus Cross-site script vulnerability reported, Sophos' security advisory
- Sophos Anti-Virus evasion vulnerabilities reported, Sophos' security advisory