Yesterday, Alex Wheeler released details of a vulnerability that appears to span many Symantec A/V products in the routines for decoded RAR compressed files. Symantec is apparently working feverishly on a fix, but for the moment the recommendation is to disable scanning of these files (which I suppose is fine if we can convince the users not to open/uncompress them until Symantec has a fix or they can be scanned by some other A/V product) or block them completely at gateways/proxies. We are not currently aware of exploits in the wild, but the concern is that this has occurred so close to the end-of-year holidays, even if a fix does come out in the next few days, will people be around to apply it.
For complete details see, the Bugtraq posting, the Secunia advisory, and what I believe is Alex's paper.
We'll bring you more info as it becomes available.
Jim Clausing, jclausing at isc.sans.org
Dec 21st 2005
1 decade ago