Symantec Utility for UPX Parsing Engine Heap Overflow Vulnerability

Guide to Using Symantec's Nodec2exe.exe Utility to Remove UPX Parser Vulnerability in Symantec AntiVirus for Windows

Last updated on February 15, 2005.

Complete information, including information about Norton AntiVirus for the Macintosh, and links to additional documentation concerning this vulnerability are available on the relevant Secure Computing Alerts page. The page you are reading is only concerned with NAV/SAV for Windows. Note also that at present there are no live exploits in the wild that target this vulnerability, and proof of concept code isn't publicly available (while Symantec have confirmed, of course, that the vulnerability indeed exists).

Fix or Upgrade?

For users of vulnerable installations of Symantec AntiVirus Corporate Edition versions 8.x/9.x the Nodec2exe.exe utility will effectively disable the vulnerable UPX parsing engine. You may tell such users to run the utility, restart Windows if they see Message #1 below, and ask them please to consider upgrading to the version now posted on ESS at their earliest convenience: but upgrading is not immediately necessary.

Users of other, older corporate editions or any consumer editions of Norton/Symantec AntiVirus should uninstall their current version using Add/Remove Programs, restart Windows, and install Symantec AntiVirus 9.0.3. There are possible problems in performing this upgrade, a few notes concerning which are below.

In the case of SAV Corporate Editions 7.x/8.x/9.x odds are one may safely upgrade without first using Add/Remove Programs to delete the previous installation. Consumer editions of NAV/SAV should always be removed before installing the corporate edition now on ESS.

Do be aware that Norton AntiVirus Corporate Edition 7.x for Windows is not vulnerable: It's just a good idea to upgrade if feasible. Use your judgment when assisting clients who are running NAV CE 7.x. If an upgrade attempt is likely to introduce problems, then as always it may be best to leave well enough alone. On the other hand, while so far as I know virus definitions updates will continue to be provided for NAV CE 7.x in the near future, Symantec won't support it forever.

Alternate Download for the Nodec2exe.exe Utility

If anyone has difficulty downloading the Nodec2exe.exe utility from Symantec, I'm providing a copy at http://www.stanford.edu/~jstamps/files/nodec2exe.exe . Please feel free to share this download URL with anyone you support. You must have a valid SUNet ID in order to download this file. The likeliest hurdle to downloading the utility from Symantec will be Internet Explorer security settings. Users of Windows XP Service Pack 2 who have run the ITSS Service Pack 2 Configuration tool, available on ESS, should have no trouble downloading the copy available on this page.

For the paranoid among you, the MD5 checksum for this copy of Nodec2exe.exe is 295c0dd29bc4cce7896df033587bf6bf, it's 45,056 bytes in size, and this is the version of the tool that was available from the Symantec web site on February 14, 2005. I don't expect the tool ever to be updated.

Using Nodec2exe.exe

When you launch the tool on a Windows PC running a Corporate Edition of Norton/Symantec AntiVirus, you will probably see one of four messages. Details of how the tool works, and how to accomplish the same end manually, are on the Symantec web page referenced above.

The following message means that a vulnerable version of SAV was found and repaired. Click OK and restart Windows. You're then safe.

The following message means that the version of SAV running on your computer is not vulnerable.

The following message means that while you appear to have SAV installed on your computer, the relevant configuration file is missing. In such a case it would probably be wise to uninstall your current version of SAV, restart Windows, and install version 9.0.3 available on ESS.

The following message means that SAV appears not to be installed on this computer. If you're not using another antivirus product, you should immediately install SAV.

There may be other messages the tool will generate under some circumstances, but these should be the most important.

Possible Problems in Upgrading to Symantec AntiVirus 9.0.3

One of the most common problems users will encounter is incomplete removal of previous NAV/SAV installations. Manual removal involves editing the Windows registry, which is always somewhat risky. Only experienced technicians should attempt these procedures.

How to uninstall the Norton AntiVirus Corporate Edition 7.5 and 7.6 for Windows NT/2000/XP client manually
How to manually uninstall Symantec AntiVirus Corporate Edition 8.x Client on Windows NT/2000/XP
Manually uninstalling Symantec AntiVirus Corporate Edition 9.x client from Windows NT/2000/XP/2003

The Symantec Support site includes instructions - and in some cases utilities - for the complete removal of other products.

A fairly common problem in upgrading from consumer editions of NAV/SAV that were bundled with a firewall is the crippling of Windows' DHCP client service, even after what you believe has been a thorough removal of the product. The solution is to delete all Windows registry values that contain SymTDI in DHCP entries named DependOnService. These will be found in CurrentControlSet and ControlSetxxx child keys:

HKEY_LOCAL_MACHINE\SYSTEM\[CurrentControlSet | ControlSetxxx]\Services\Dhcp

Do not attempt this procedure unless you really know what you're doing! And you should always make a back-up of the registry first.