Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

                          ESB-2006.0785 -- [Win]
               Symantec Device Driver Elevation of Privilege
                              24 October 2006


        AusCERT Security Bulletin Summary

Product:              Symantec AntiVirus Corporate Edition 9.0.3 and prior
                      Symantec AntiVirus Corporate Edition 8.1
                      Symantec Client Security 2.0.3 and prior
                      Symantec Client Security 1.1
Publisher:            Symantec
Operating System:     Windows
Impact:               Administrator Compromise
Access:               Existing Account
CVE Names:            CVE-2006-3455

Original Bulletin:    

Comment: Note this is a new vulnerability distinct from the IOCTL
         kernel privilege escalation issue reported in the same
         products in ESB-2006.0736.

- --------------------------BEGIN INCLUDED TEXT--------------------

Symantec Product Security Advisory

October 23, 2006

SYM06-022 Symantec Device Driver Elevation of Privilege

Risk Impact:  Medium 
Remote Access: No
Local Access: Yes
Authentication Required: Yes
Exploit available: No

Symantec was notified of a vulnerability in a device driver which, if 
successfully exploited, could allow a local attacker to execute arbitrary 
code with elevated privileges or to crash the system. 

Affected Products 

Symantec AntiVirus Corporate Edition 8.1	
Symantec AntiVirus Corporate Edition 9.0.3 and earlier 
Symantec Client  Security  1.1
Symantec Client Security  2.0.3 and earlier	

Unaffected Products

Symantec AntiVirus Corporate Edition 8.1.1 MR9
Symantec AntiVirus Corporate Edition 9.0.4 and later
Symantec AntiVirus Corporate Edition 10.x
Symantec Client Security  3.x
Norton AntiVirus 2005 and later 
Norton Internet Security 2005 and later	
Norton System Works  2005 and later 


Boon Seng Lim notified Symantec of a vulnerability in SAVRT.SYS which could 
allow a malicious user to use the output buffer of DeviceIOControl() to 
overwrite kernel addresses because the address space of the output buffer was 
not properly validated.  A successful exploit could potentially allow a local 
attacker to execute code of their choice with elevated privileges, or to 
crash the system.  

Symantec Response

Symantec engineers verified that this issue exists in the affted products list 
above, and have released updates for currently supported affected products. 

Symantec is not aware of any customers impacted by this issue, or of any 
attempts to exploit the issue.  

Any future updates to this adivsory will be posted in the Symantec Advisory:

Symantec would like to thank Boon Seng Lim for reporting this issue, and 
working with us on the resolution.  

This issue is a candidate for inclusion in the Common Vulnerabilities and 
Exposures (CVE) list (http://cve.mitre.org), which standardizes names for 
security problems.   The CVE initiative has assigned CVE-2006-3455 to this issue

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.

Comment: http://www.auscert.org.au/render.html?it=1967