12:41 PM

Symantec Says Vulnerability Hits 63 Products

The number of products is among the largest ever for a single vulnerability, and demonstrates the risk of reusing code in a large group of programs.

Symantec on Wednesday named more than 60 of its products as affected by the critical vulnerability disclosed earlier this week, and said it was pushing out a "heuristic detection that would spot potential exploits. However, no patches have yet been released.

The number of impacted products was among the largest ever for a single vulnerability, and demonstrated the risk of reusing code in a large group of programs.

The bug, which was made public Tuesday by researcher Alex Wheeler, is in how Symantec's AntiVirus Library, part of virtually all the Cupertino, Calif.-based security giant's programs, handles RAR compressed files. RAR files are created by the WinRAR compression utility, developed and sold by RarLab.

In an advisory released Wednesday, Symantec listed 48 enterprise titles and 15 consumer products that used the flawed Library. On the consumer side, the 2006 versions of Norton AntiVirus, Internet Security, SystemWorks, and Personal Firewall are open to attack. Corporate titles such as Norton AntiVirus for Microsoft Exchange, BrightMail Antispam, and AntiVirus for Handhelds are also on the list.

Only a few programs are not affected, including earlier editions of Symantec AntiVirus Corporate Edition and Symantec Client Security.

The only protection for the moment is a special detection capability that Symantec is downloading to users' systems.

Heuristic detection for potential exploits targeting this vulnerability is available from LiveUpdate," Symantec said in an alert published to its DeepSight Threat Management System customers. "This detection is available to all desktop, server, and gateway product versions of Symantec's security products and appliances that contain the vulnerability."

The company is working on patches for the affected products, but hasn't given a timeline for completing the fixes. In the meantime, it urged all users to run LiveUpdate to download the heuristic detection.

Symantec also downplayed the threat, stating in the advisory that "to date, Symantec has not had any reports of related exploits of this vulnerability."

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.