02:52 PM
Connect Directly

Vulnerability Spotted In Symantec AntiVirus Scan Engine

The company has produced patches for the flaw, which could let attackers slip their malicious code onto a system.

Another anti-virus vendor stepped up to acknowledge that a bug in its software gives hackers unauthorized entry into supposedly protected systems.

Symantec acknowledged a vulnerability in its Symantec AntiVirus Scan Engine software -- a TCP/IP server and programming interface that lets third-party developers add support for Symantec content scanning into their own applications -- which could let attackers slip their malicious code onto a system.

"A remote attacker that had the ability to access the affected service could leverage this issue by sending a malicious HTTP request to the service," Symantec said in a security advisory released late Tuesday. "This vulnerability allows attackers to execute arbitrary machine code in the context of the affected application…[to] allow remote attackers to gain privileged remote access to computers."

Reston, Va.-based iDefense, a division of security vendor VeriSign, discovered the vulnerability, notified Symantec of its findings Aug. 31, and also posted an advisory late Tuesday. According to iDefense, the vulnerability is found in AntiVirus Scan Engine's HTTP header validation.

No exploit has been seen for the bug, SecurityFocus said on its Web site. Symantec, meanwhile, has produced patches for the flaw.

This is the second time in two days that an anti-virus supplier has had to patch problems. Monday, Russian security company Kaspersky Labs was hit with a vulnerability in its Windows virus scanner.

Comment  | 
Print  | 
More Insights
IT's Reputation: What the Data Says
IT's Reputation: What the Data Says
InformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business really views IT's performance in delivering services - and, more important, powering innovation. Our results suggest IT leaders should worry less about whether they're getting enough resources and more about the relationships they have with business unit peers.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Must Reads Oct. 21, 2014
InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and community news at
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.