CVE-2012-4953: A critical security flaw has been discovered in the multiple Symantec Antivirus products. The improper handling of the malformed CAB files results in Memory corruption vulnerability. The vulnerability has been announced in US-CERT on Nov 5.
According to the statement, a successful exploitation may result in arbitrary code execution as the result of a file being scanned
"We have confirmed that Symantec Endpoint Protection 11, which uses dec_abi.dll, and Symantec Scan Engine 5.2, which uses Dec2CAB.dll, are affected" The researcher says.
A remote attacker can send a specially crafted CAB formatted file to trigger a memory corruption error in 'dec_abi.dll' and execute arbitrary code with system privileges on the victim system.
I'm still confused the date of notification to the vendor. The report says the bug was reported on 8 Apr 2011 ?!
"The SEP product team has received the vulnerability report (VU#985625) from CERT and we are actively working on a response that will include all affected versions of Symantec products as well as mitigation plans . Please be assured that all versions of SEP 12.1 are unaffected by CERT VU#985625. We will provide an official advisory on Wednesday, November 7 PST." The symantec response when one of the user asked details about the vulnerability in their forum.
According to the US-CERT advisory, Symantec Endpoint Protection 11 is affected and upgrading to Symantec to Symantec Endpoint Protection 12 will fix the problem.
"Symantec currently has no plans to update Symantec Endpoint Protection 11. We have verified that Symantec Scan Engine, now known as Symantec Protection Engine for Cloud Services, version 7 does not appear to be affected." advisory reads.
