A major component of the Symantec Antivirus scan engine is the "Decomposer", responsible for unpacking various archive formats such as ZIP, RAR, and so on. The decomposer runs as NT AUTHORITY\SYSTEM on Windows, and root on Linux and Mac. It is self-evident from looking at the decomposer code that Symantec have based the CAB decompression on the open-source libmspack package by Stuart Caie.

Similar to  issue 810 , where Symantec didn't keep their unrar package updated, the libmspack library is also out of date and vulnerable to publicly know memory corruption vulnerabilities.

I have verified that multiple publicly known vulnerabilities affect Symantec, and can result in remote code execution as NT AUTHORTITY\SYSTEM on Windows and root on Linux and Mac.

I have verified this on the following products:

    Norton Antivirus, Windows
    Symantec Endpoint Protection, Linux and Windows
    Symantec Scan Engine, Linux and Windows

Presumably this affects all other Symantec products using the core Symantec scan engine. I think you should take this opportunity to check all other third party code you're using to verify you haven't fallen behind. In my opinion, I'm being exceptionally generous considering this issue a new vulnerability and not public information.

I've attached a sample testcase that triggers CVE-2014-9732 you can use to verify this.


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.