Flaws Found in Symantec Scan Engine

Symantec earlier this week warned of vulnerabilities within its Scan Engine, a programming interface that allows third parties to incorporate scanning technologies into their applications. The security software maker has rated the vulnerabilities as a "medium risk."

According to the advisory, the first problem lies within an issue in authenticating Web-based logins. "Anyone with knowledge of the underlying communication mechanism can control the Scan Engine server," the notice reads.

Another flaw opens the program up to a "man-in-the-middle attack." According to Symantec, the DSA key used for SSL communications is easily extracted.

Remote users could also download any file in the installation directory of the program through a third flaw. Using regular or specially crafted HTTP requests, the information could be easily accessed.

The company stressed that these vulnerabilities only affect the Scan Engine and none of its desktop applications.

Customers are urged to upgrade to Symantec Scan Engine 5.1 in order to protect themselves from the flaw. At this time, there are no known available exploits. However, proof-of-concept code has already been published, security researchers warn.