Sym07-019 Symantec AntiVirus Malformed RAR and CAB Compression Type Bypass
Question/Issue:
You use Symantec AntiVirus Corporate Edition or Symantec Client Security and would like more information about the Sym07-019 Symantec AntiVirus Malformed RAR and CAB Compression Type Bypass vulnerability.
Solution:
In the Symantec Decomposer component used to decompose some types of archive content while scanning for malicious content, two issues have been identified.
For additional information on the SYM07-019 vulnerability, read the Symantec Security Response SYM07-019 Security Advisory.
Mitigation
There are three possible ways to remove the Sym07-019 vulnerability in Symantec Client Security or Symantec AntiVirus:
- Upgrade to a build that is not affected by the vulnerability.
- Disable the vulnerable decomposers manually by editing a configuration file.
- Upgrade the vulnerable decomposer engine by using the Decomposer Update Tool. This tool should not be used if you are planning on migrating to a version of Symantec Client Security 3.1 MR6, Symantec AntiVirus 10.1 MR6 or 10.1.5.5010.
Upgrade to an unaffected build
Symantec has created fixed versions of Symantec AntiVirus and Symantec Client Security. The solution paths from each version of Symantec AntiVirus and Symantec Client Security are as follows:
To obtain the latest release, read the document
How to obtain an update or an upgrade for your Symantec corporate product.
Some upgrade paths require migrating to Symantec Client Security 3.1 or Symantec AntiVirus 10.1. To obtain these products, read the document
How to obtain an update or an upgrade for your Symantec corporate product. For instructions on how to migrate to those versions, read one of the following documents:
Migrating to Symantec Client Security 3.1
Migrating to Symantec Client Security 3.1 Small Business Edition
Migrating to Symantec AntiVirus 10.1 Corporate Edition
Migrating to Symantec AntiVirus 10.1 Small Business Edition
For information on upgrading to 9.0 MR6 MP1, read
Applying Symantec Client Security 2.0 and Symantec AntiVirus 9.0 Maintenance Release 6 Maintenance Patch 1.
Localized version of the updated builds of Symantec Client Security and Symantec AntiVirus are available.
Use the decomposer update tool
Symantec has created two tools to update the decomposer engines for the unlicensed versions of Symantec AntiVirus and Symantec Client Security. This tool should not be used if you are planning on migrating to a version of Symantec Client Security 3.1 MR6, Symantec AntiVirus 10.1 MR6 or earlier.
You must run the tool with Administrator or System account privileges.
Note: Win 9x, ME and NT 3.51 are not supported by Dec3Update9.exe tool.
Command line options:
The following command line options are available for the tool:
| Option | Effect |
| /visible | Makes the simple dialog box appear. By default, the tool runs in silent mode. |
| /log | Appends or creates the log file Dec3Updater.log in the user temp variable folder (%temp%). |
Functionality of the decomposer update tool
- When you run the tool, it obtains the version of Symantec AntiVirus. Depending on the version, it determines the folder that contains the Decomposer from information in the registry.
- The tool stops the services that depend on the Decomposer files, in order to ensure that they are not held or locked. It also closes any dependent services.
- The tool deletes the decomposer files one by one, and replaces them with the new DLL files.
- The tool restarts the services that it stopped.
- If the /log option is enabled, the tool creates the logfile Dec3Updater.log under the user temp variable (%temp%) folder.
The tool replaces the following files:
- Dec2.dll
- Dec2AMG.dll
- Dec2ARJ.dll
- Dec2CAB.dll
- Dec2GZIP.dll
- Dec2ID.dll
- Dec2LHA.dll
- Dec2LZ.dll
- Dec2RAR.dll
- Dec2RTF.dll
- Dec2SS.dll
- Dec2TAR.dll
- Dec2TNEF.dll
- Dec2Text.dll
- Dec2Zip.dll
- DecSDK.dll
Disable scanning of potentially vulnerable files manually
This method manually prevents the Decomposer engine from scanning files that may cause the problem.
- In Windows Explorer, open the Symantec AntiVirus installation folder.
The location of this folder varies by product and operating system.
- In an ASCII text editor such as Notepad, open the file Dec3.cfg.
- The fifth line of the file contains a number that corresponds to the number of .dll files listed below it. Verify that this is the case.
- Reduce the number in the fifth line by 2.
- Find the following lines:
Dec2CAB.dll
Dec2RAR.dll
- Delete the Dec2CAB.dll line and the line that immediately follows.
- Delete the Dec2RAR.dll line and the line that immediately follows.
- Close and save the Dec3.cfg file.
- Restart the Symantec AntiVirus service.
This procedure disables the Dec2CAB.dll and Dec2RAR.dll files. After these files are disabled, Symantec Client Security and Symantec AntiVirus are no longer vulnerable.
Example:
The following is an example of the contents of the Dec3.cfg file
before and
after the
manual alteration. Bold emphasis has been added to the lines that are altered.
| Before alteration | After alteration |
.
1000000
16384
500000
14
Dec2ID.dll
10
Dec2ZIP.dll
24
Dec2SS.dll
18
Dec2GZIP.dll
7
Dec2CAB.dll
4
Dec2LHA.dll
12
Dec2ARJ.dll
3
Dec2TNEF.dll
22
Dec2LZ.dll
14
Dec2AMG.dll
1
Dec2RAR.dll
19
Dec2TAR.dll
21
Dec2RTF.dll
20
Dec2Text.dll
33 | .
1000000
16384
500000
12
Dec2ID.dll
10
Dec2ZIP.dll
24
Dec2SS.dll
18
Dec2GZIP.dll
7
Dec2LHA.dll
12
Dec2ARJ.dll
3
Dec2TNEF.dll
22
Dec2LZ.dll
14
Dec2AMG.dll
1
Dec2TAR.dll
21
Dec2RTF.dll
20
Dec2Text.dll
33 |
Unaffected products
| Product | Unaffected version | Builds |
| Symantec AntiVirus | 10.2 | All |
| Symantec AntiVirus for Handhelds - Corporate Edition | All | All |
| Symantec Client Security for Nokia | All | All |
Document ID: 2007071111591448
Last Modified: 11/27/2007
Date Created: 07/11/2007
Operating System(s): Windows 2000, Windows XP Home, Windows XP Professional Edition, Windows XP Tablet PC, Windows Server 2003 32-bit Edition, Windows XP Media Center Edition 2005, Windows 2000 Professional, Windows 2000 Server
Product(s): Symantec AntiVirus Corporate Edition 10.0, Symantec AntiVirus Corporate Edition 9.0
Release(s): SAV 10.0, SAV 9.0
Cart
PRINT THIS PAGE