SUMMARY

A vulnerability has been identified in the Windows version of the Symantec Antivirus component responsible for decomposition of encoded / archived content. The vulnerability causes the decomposer component to crash when a unique RAR file is received for decomposing and scanning. Malicious content placed inside such a configured RAR file can be bypassed and not detected by the initial file scan. The bypassed malicious content does not pose a risk until extracted from the RAR archive file. The malicious content will be detected and eliminated by RealTime Virus Scan / Auto-Protect when it is extracted from the RAR file on systems running Symantec Antivirus.

AFFECTED PRODUCTS

Symantec Response
The vulnerability has been traced to a particular component build environment that was in use for a limited period. The vulnerable version affected Microsoft Windows builds only.

Affected Products

Enterprise Products

Consumer Products

Note: Only Symantec products indicated above are potentially vulnerable. All other Symantec products are NOT affected.

MITIGATION

Recommendations:
As a part of normal best practices, users should keep vendor-supplied patches for all application software and operating systems up-to-date. Symantec strongly recommends any affected customers, if they are not already running a non-vulnerable product version/build, update their product immediately to protect against these types of threats.

Updates are available either through Symantec's LiveUpdate for those products that have LiveUpdate capability or from the Symantec Support site at http://www.symantec.com/techsupp.

Symantec is not aware of any active attempts against or organizations impacted by this issue.

ACKNOWLEDGEMENTS

Symantec would like to thank André Jerleke a.k.a. Phiberz -- [email protected] for bringing this issue to our attention