The SAVRT.SYS device driver, as used in Symantec AntiVirus Corporate Edition 8.1 and 9.0.x up to 9.0.3, and Symantec Client Security 1.1 and 2.0.x up to 2.0.3, allows local users to execute arbitrary code via a modified address for the output buffer argument to the DeviceIOControl function.
secunia.com/advisories/22536
securitytracker.com/id?1017108
securitytracker.com/id?1017109
www.securityfocus.com/archive/1/449524/100/0/threaded
www.securityfocus.com/bid/20684
www.symantec.com/avcenter/security/Content/2006.10.23.html
www.vupen.com/english/advisories/2006/4157
exchange.xforce.ibmcloud.com/vulnerabilities/29762