The information has been provided by Joshua J. Drake.
The original article can be found at: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=858
* kvolefio.dll version 126.96.36.19939, distributed with IBM Lotus Notes 8.5
* kvolefio.dll version 10.5.0.0, distributed with Symantec Mail Security for Microsoft Exchange
All versions of the KeyView SDK that include the "kvolefio.dll" library are suspected to be vulnerable. All applications that utilize Autonomy's KeyView SDK to process untrusted content are also believed to be vulnerable.
* Symantec Mail Security for Domino 8.0.2 and prior
* Symantec Mail Security for Domino 7.5.8 and prior
* Symantec Mail Security for Microsoft Exchange 6.0.9 and prior
* Symantec Mail Security for Microsoft Exchange 5.0.13 and prior
* Symantec BrightMail Gateway 8.x and prior
* Symantec Mail Security for SMTP (EOL) 5.0.x
* Symantec Data Loss Prevention Enforce/Detection Servers for Windows 8.1.1
* Symantec Data Loss Prevention Enforce/Detection Servers for Windows 9.x
* Symantec Data Loss Prevention Enforce/Detection Servers for Windows 10.0
* Symantec Data Loss Prevention Enforce/Detection Servers for Linux 8.1.1
* Symantec Data Loss Prevention Enforce/Detection Servers for Linux 9.x
* Symantec Data Loss Prevention Enforce/Detection Servers for Linux 10.0
* Symantec Data Loss Prevention Endpoint Agents 8.1.1
* Symantec Data Loss Prevention Endpoint Agents 9.x
* Symantec Data Loss Prevention Endpoint Agents 10.0
* Symantec IM Manager 2007 8.x
* Symantec Mail Security for Domino - SMSDOM MPE 3.2
* Symantec Mail Security for Domino - SMSDOM 5.1
* Symantec Mail Security for Microsoft Exchange - All versions prior to 5.0.10
* Symantec Mail Security for Microsoft Exchange - All 6.0.x versions prior to 6.0.5
* Symantec Data Loss Prevention Endpoint Agents - 7.x
This vulnerability occurs when processing specially crafted documents. When processing such a document, the software reads an integer value from the file and uses this integer, without validation, in an arithmetic operation to calculate the amount of memory to allocate. If a sufficiently large number is supplied, the calculation overflows, resulting in a buffer of insufficient size being allocated. The software then proceeds to copy data into this under-sized buffer. This results in an exploitable heap buffer overflow condition.
Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the targeted application. In order to exploit this vulnerability, an attacker must cause a specially crafted OLE file to be processed by an application using the Autonomy KeyView SDK. This includes file types such as PowerPoint, Excel, Word, as well as other document formats.
The amount of user interaction required is tied to the way in which the KeyView SDK is used. In cases such as Lotus Notes, this requires that an attacker convince a user to view an e-mail attachment; however, in other cases, processing may take place automatically as a document is examined.
The privileges that an attacker gains may be different for each application that uses the KeyView SDK. For example, exploiting this issue via Lotus Notes yields the current user's privileges while exploiting the vulnerability via Symantec Mail Security yields SYSTEM privileges.
Updates are available at http://customers.autonomy.com/
Symantec Corporation has released a solution which addresses this issue. Information about downloadable vendor updates can be found by clicking on the following URL:
For Symantec Mail Security, disabling "content filtering" will prevent exploitation.
Unfortunately, disabling the affected "kvolefio.dll" library causes additional issues. Working around this issue by disabling filters would require all filters that utilize this module to be disabled. It is not clear at this time if this is even possible.
09/28/2009 Initial Vendor Notification
09/28/2009 Initial Vendor Reply
03/04/2010 Coordinated Public Disclosure