Stanford University seal Information
Security
Information Security Office
Security Alert: Symantec AntiVirus - UPX Parsing Overflow Vulnerability
11 Feb 2005

Update
February 14
Windows platform: "Quick Fix" utility available from Symantec
February 13
Macintosh platform: confirmed vulnerability and patch.
Windows platform: suggestion for problems with manual SAV upgrade.

Summary

On Feb 8, 2005, Symantec announced a vulnerability in a component of several of their products, including some widely used versions of Symantec AntiVirus.  The vulnerability could allow an attacker to remotely take control of a computer without requiring any user interaction.

It affects both MacOS and Windows, and in particular the previous versions of Symantec AntiVirus for Windows that were available on the Essential Stanford Software site until earlier this week.  An updated version (Symantec AntiVirus 9.0.3) for Windows is now available from ESS.

It affects many of the versions of Symantec AntiVirus Corporate Edition that are widely deployed on campus.

What to Do

Macintosh users can protect themselves by performing a LiveUpdate.  Virus definitions for the Macintosh from 2/2/2005 and later will disable the vulnerable component of SAV.

For Windows users, Symantec has released a utility that will disable the affected component, to remove the vulnerability from your computer until your installation of SAV can be upgraded to the latest version.  Go to Symantec's Knowledge Base article and follow the download and execution instructions in the "Mitigation" section under the heading "To use the Nodec2exe.exe tool".  Note that you must be logged in with administrator privileges to run this tool, and restart your machine afterwards.

The BigFix operations team is working to automatically deploy this quick fix to machines that have the BigFix service installed.  BigFix is available at http://patching.stanford.edu.

Manual Upgrade Option

If you wish to upgrade your Symantec AntiVirus installation manually, ITSS strongly recommends that you first uninstall your current version of SAV and then install the new version from ESS.  After upgrading, you must reboot your computer.  You should also update your virus definitions.

RCC Matt Kaufman has provided the following advice for those experiencing blue-screens or slow-downs in Windows 2000 or XP when upgrading to SAV version 9. Further information on the possible problem and its remediation are available from Symantec's customer support.
The problem is apparently due to version 9 taking up a lot of kernel driver space, where Windows 2000 and XP only allow 12k of kernel drivers. So, if they have other programs that use this space, it can cause blue screens or very slow performance.

The fix:

  1. If your computer runs at all, disable realtime protection temporarily.
    If it does not run, restart in Safe Mode, then rename "C:\Program Files\Symantec" and "C:\Program Files\Symantec AntiVirus" to other names.
  2. Restart in normal mode, and a couple warnings will pop up. You can then rename those two folders to their original names, since Symantec has not loaded.
  3. Now (for either case), go to Symantec and download SAVCE9_KStackMinFree.reg.
  4. Run it.
  5. Re-enable realtime protection, if necessary.
  6. Reboot.

References

Additional information regarding this vulnerability is available at

The Information Security Office wishes to thank Matt Kaufman and the many ITSS groups, including the Help Desk, Desktop Support, and the Windows System Group, who helped in creating this alert and who continue to work to protect the thousands of computers at Stanford.

Last modified Wednesday, 08-Feb-2006 11:46:25 PST

© 2005, Stanford University. All rights reserved.
Need computing help? Visit HelpSU or call 5-HELP (650-725-4357).