Symantec Corp. has fixed a serious flaw in its Enterprise Security
Manager (ESM) product attackers could remotely exploit to hijack
targeted machines.
The Cupertino, Calif.-based antivirus giant said in an advisory
that
all versions of ESM are vulnerable to a remote code execution
attack.
"The vulnerability exists in the ESM agent remote upgrade
interface," Symantec said. "The ESM agent accepts remote upgrade
requests from any entity that understands the upgrade protocol. The
ESM agent does not currently verify that upgrades are from a
trusted source."
As a result, attackers with knowledge of the agent protocol
could deploy malware that allows them to control the host computer.
Adding to the problem is that the ESM agent runs with
administrative privileges.
Automated and manual fixes are available on the
Symantec Web site.
The French
Security Incident Response Team, (FrSIRT) described the flaw as
"high-risk" because attackers could exploit it from remote
locations to hijack targeted machines.
Symantec isn't the only antivirus vendor to plug a security hole
in recent days.
Kaspersky flaw fixed
Russian antivirus vendor Kaspersky Lab
has addressed multiple flaws across its product line attackers
could exploit to hijack targeted machines or disclose sensitive
data.
According to FrSIRT,
the first problem is caused by input validation errors in the
"AxKLProd60.dll" and "AxKLSysInfo.dll" ActiveX controls when
processing arguments passed to certain methods such as
StartUploading. Attackers could exploit this to retrieve or delete
arbitrary files from a vulnerable system by tricking a user into
visiting a specially crafted Web page.
The second vulnerability is caused by a heap overflow error in
the OnDemand Scanner when parsing malformed ARJ archives via the
"arj.ppl" module, FrSIRT said. Attackers could exploit this to run
malicious commands by sending an email with the malicious file to a
system being protected by a vulnerable application. The third issue
is an integer overflow error in the hook function for the
"_NtSetValueKey()" function when handling a large unsigned value
for the data size argument. Attackers could exploit this to run
malicious code with elevated privileges.
The fourth vulnerability is caused by an error in the "klif.sys"
driver, which could be exploited by malicious users to execute
arbitrary commands with Ring-0 privileges, FrSIRT said.