Symantec fixes 'high-risk' flaw in Enterprise Security Manager
Attackers could hijack machines from remote locations by exploiting a flaw in Symantec Enterprise Security Manager (ESM). Kaspersky Lab users also have a flaw to deal with.
The Cupertino, Calif.-based antivirus giant said in an advisory that all versions of ESM are vulnerable to a remote code execution attack.
"The vulnerability exists in the ESM agent remote upgrade interface," Symantec said. "The ESM agent accepts remote upgrade requests from any entity that understands the upgrade protocol. The ESM agent does not currently verify that upgrades are from a trusted source."
As a result, attackers with knowledge of the agent protocol could deploy malware that allows them to control the host computer. Adding to the problem is that the ESM agent runs with administrative privileges.
Automated and manual fixes are available on the Symantec Web site.
The French Security Incident Response Team, (FrSIRT) described the flaw as "high-risk" because attackers could exploit it from remote locations to hijack targeted machines.
Symantec isn't the only antivirus vendor to plug a security hole in recent days.
Kaspersky flaw fixed
Russian antivirus vendor Kaspersky Lab has addressed multiple flaws across its product line attackers could exploit to hijack targeted machines or disclose sensitive data.
According to FrSIRT, the first problem is caused by input validation errors in the "AxKLProd60.dll" and "AxKLSysInfo.dll" ActiveX controls when processing arguments passed to certain methods such as StartUploading. Attackers could exploit this to retrieve or delete arbitrary files from a vulnerable system by tricking a user into visiting a specially crafted Web page.
The second vulnerability is caused by a heap overflow error in the OnDemand Scanner when parsing malformed ARJ archives via the "arj.ppl" module, FrSIRT said. Attackers could exploit this to run malicious commands by sending an email with the malicious file to a system being protected by a vulnerable application. The third issue is an integer overflow error in the hook function for the "_NtSetValueKey()" function when handling a large unsigned value for the data size argument. Attackers could exploit this to run malicious code with elevated privileges.
The fourth vulnerability is caused by an error in the "klif.sys" driver, which could be exploited by malicious users to execute arbitrary commands with Ring-0 privileges, FrSIRT said.
