Symantec fixes 'high-risk' flaw in Enterprise Security Manager

News Analysis

Symantec fixes 'high-risk' flaw in Enterprise Security Manager

Bill Brenner, Senior News Writer
Symantec Corp. has fixed a serious flaw in its Enterprise Security Manager (ESM) product attackers could remotely exploit to hijack targeted machines.

The Cupertino, Calif.-based antivirus giant said in an advisory that all versions of ESM are vulnerable to a remote code execution attack.

"The vulnerability exists in the ESM agent remote upgrade interface," Symantec said. "The ESM agent accepts remote upgrade requests from any entity that understands the upgrade protocol. The ESM agent does not currently verify that upgrades are from a trusted source."

As a result, attackers with knowledge of the agent protocol could deploy malware that allows them to control the host computer. Adding to the problem is that the ESM agent runs with administrative privileges.

Automated and manual fixes are available on the Symantec Web site.

The French Security Incident Response Team, (FrSIRT) described the flaw as "high-risk" because attackers could exploit it from remote locations to hijack targeted machines.

Symantec isn't the only antivirus vendor to plug a security hole in recent days.

Kaspersky flaw fixed
Russian antivirus vendor Kaspersky Lab has addressed multiple flaws across its product line attackers could exploit to hijack targeted machines or disclose sensitive data.

According to FrSIRT, the first problem is caused by input validation errors in the "AxKLProd60.dll" and "AxKLSysInfo.dll" ActiveX controls when processing arguments passed to certain methods such as StartUploading. Attackers could exploit this to retrieve or delete arbitrary files from a vulnerable system by tricking a user into visiting a specially crafted Web page.

The second vulnerability is caused by a heap overflow error in the OnDemand Scanner when parsing malformed ARJ archives via the "arj.ppl" module, FrSIRT said. Attackers could exploit this to run malicious commands by sending an email with the malicious file to a system being protected by a vulnerable application. The third issue is an integer overflow error in the hook function for the "_NtSetValueKey()" function when handling a large unsigned value for the data size argument. Attackers could exploit this to run malicious code with elevated privileges.

The fourth vulnerability is caused by an error in the "klif.sys" driver, which could be exploited by malicious users to execute arbitrary commands with Ring-0 privileges, FrSIRT said.


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy