Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Security IT

Symantec Confirms AV Library Flaw, Promises Patch 133

Posted by CowboyNeal from the watching-the-watchmen dept.
the_flyswatter writes "Anti-virus vendor Symantec Corp. has publicly acknowledged that a high-risk buffer overflow vulnerability in its AntiVirus Library could lead to code execution attacks when RAR archive files are scanned. The company confirmed the issue was a buffer overflow in the AntiVirus component used to decompose RAR (Roshal Archive) files. 'A specially crafted RAR file could potentially cause this buffer overflow to occur and execute hostile content from the RAR file,' the advisory read. The bug also affects 15 consumer products, including the widely deployed Symantec Norton AntiVirus, Symantec Norton Internet Security Professional, Norton Personal Firewall and Symantec Norton Internet Security for Macintosh."
This discussion has been archived. No new comments can be posted.

Symantec Confirms AV Library Flaw, Promises Patch More

Symantec Confirms AV Library Flaw, Promises Patch

Comments Filter:

  • You know what this means - (Score:5, Funny)

    by mtrisk ( 770081 ) on Friday December 23, 2005 @05:38AM (#14325625) Journal
    Installing Symantec on your Mac makes it LESS secure than it was before.

    How ironic...

    • Re:You know what this means - (Score:4, Funny)

      by moro_666 ( 414422 ) <kulminaator&gmail,com> on Friday December 23, 2005 @06:21AM (#14325724) Homepage
      It's also pretty ironic that if you wouldn't have symantec installed, you'd be safe from the virus in the rar archives.

        Getting your machine infected because you have an antivirus installed is definitely a new thing, way to go Symantec :)

        ps. why is there no (or where is it ?) opensource antivirus software for windows ? sure it would be heavy work to keep it up with all the viruses. but with some support from some foundations it would be a good thing.

      next thing coming along will drm software that prevents drm from protecting the content.... sony's turn ....

    • Re:You know what this means - (Score:4, Informative)

      by KiloByte ( 825081 ) on Friday December 23, 2005 @06:33AM (#14325746)
      Actually, anti-virus software is nothing but snake oil and a money grab these days.

      Why?

      Once you get pwned, your system has been compromised. It's time for vetting any data, a thorough purge and reinstall. This applies both to real Unix systems and to Windows. These days, most virus/worm/spyware install 10-20 "friends", each updated on a frame of several days. It's pretty hard to get all of these, considering that most anti-crapware software has a detection rate of 30% or less (not counting any _old_ pests).

      Thus, as parent said, AV actually makes your system less secure, provided you or your OS follow at least some basic security rules; it adds no security while creating new holes on its own. Also, performance lost to the scanner wasting your memory and CPU is not free, either.

      Of course, if you're unlucky enough to work in tech support for Windows machines, this analysis doesn't apply. But, if you can get the boxes locked down, don't even bother paying the AV protection racket.

      • Re:You know what this means - (Score:5, Funny)

        by Scarblac ( 122480 ) <slashdot@gerlich.nl> on Friday December 23, 2005 @07:00AM (#14325791) Homepage

        Actually, anti-virus software is nothing but snake oil and a money grab these days.

        Why?

        Once you get pwned, your system has been compromised. It's time for vetting any data, a thorough purge and reinstall.

        Gee, that sounds serious, and these viruses don't tell you that they've just installed themselves. What someone should make then is some sort of software that scans your system for viruses and warns you if your system has been compromised...

      • I try to keep Norton AV up to date on my XP box, but I know that eventually the system will get bogged down or fowled up somehow. I'm just going along with the game.
        Main user on this machine wants to use AOL, which supposedly has it's own scanners. I get a popup in the tooltray that says AOL is doing a quick check (of something), even if I am not logged in AOL.
        Most of the time, I just run Kanotix or my own Knoppix remaster and forget about XP.
        It is a ripoff in that newbies are told the system is secure when
      • Its funny how many people think antivirus programs work. Someone's computer is compromised by a new virus, so its up to me to check it out. But then my mom looks over my shoulder and says,"Just run Anti-Virus and fix it." I get shocked looks when I say antivirus only stops at best 1% of viruses out there, never gets any of the new viruses stopped, and is mainly out just to grab your money off you.

      • Actually, anti-virus software is nothing but snake oil and a money grab these days.

        I guess that depends upon what you mean by "anti-virus." Server-side scanning is very useful, especially for e-mail servers and the like. Also, IDSs that include an AV component can be quite useful, discovering even zero-day worms on a network and shutting them down, while making a list of compromised machines. Client-side systems are less useful, I'll agree, but they do have their place in cleaning up old infections tha

      • I'll be the first to agree that most anti-virus software is a ripoff. But I've been steering folks clear of Symantec AV products for years now. Their stuff is bloated, buggy, and inefficient at doing the job - and insistence on going through "product activation" for retail and OEM products just make it that much less appealing.

        That said, your statement that AV software is purely "snake oil"? I have to take exception to that one. I think it's arguable that *some* people wouldn't get enough value from AV
      • Your right in that once a system is pwned, it's very difficult to clean it without a reinstall of the OS... ... But think about it for a minute. What if you could, say, BLOCK the virus from ever being installed in the first place? System not pwned, anti virus did its job.
      • Getting viruses and spyware do not call for a complete reinstall unless you can do it or have someone who can. I work for a large PC in home repair company and I do over 10 virus and spyware cleanups a week. Very rarely do I ever have to reinstall systems. To clean viruses I charge $85-$127.50 depending on how long it takes ($85 an hour). A reinstall and getting all apps reinstalled and working usually starts at 3 hours or $255.

        I agree with you for people like me and you who can reinstall our machines a

  • Why confess? (Score:4, Interesting)

    by Jotii ( 932365 ) on Friday December 23, 2005 @05:41AM (#14325635) Homepage
    Why did Symantec verify officially that this bug was present before fixing it? Now, evil RAR packages will probably be much more wide-spread than before.

    • Re:Why confess? (Score:5, Informative)

      by wasudeo ( 201920 ) on Friday December 23, 2005 @06:01AM (#14325679)
      FTA,

      Symantec didn't confess of their own accord. This vulnerability was publicised by a "security researcher" called Alex Wheeler.
    • Which is better, being blissfully ignorant of a problem or being warned and given the information to negate it ?

    • "To date, Symantec has not had any reports of related exploits of this vulnerability."

      Then why give all this:
      "An attacker may craft a sub-block header to overwrite heap memory with user controlled file data to execute arbitrary code. Successful attack will yield system/root-level privileges and is available through e-mail without user interaction," he explained.

      Thankfully,
      To mitigate the risk before patches are ready, Symantec has posted an AntiVirus based protection signature to LiveUpdate to provide

    • Probably because people have just started seeing messages like (can't remember the exact wording from when it happened this morning) "Microsoft Run Time Library - A buffer overflow has just occurred and this program must now be terminated".

      Bit difficult to hide when the MS RTL shops you very publicly.
    • Why did Symantec verify officially that this bug was present before fixing it?
      And with it already being Christmas Eve in India, who's going to fix it quick?

      --
      Open that little WinTel laptop from Dell
      under the Christmas tree on December 25th
      and it is out-of-the-box safe and secure!

  • That's what you get for (Score:5, Insightful)

    by letdinosaursdie ( 809029 ) on Friday December 23, 2005 @05:42AM (#14325638) Homepage
    The Microsoft solution to the Microsoft solution to the Microsoft solution to the Microsoft solution to the...

  • so... (Score:1, Redundant)

    by manojar ( 875389 )
    so, no product is secure enough or free from such bugs!

  • Morons (Score:4, Insightful)

    by Anonymous Coward on Friday December 23, 2005 @05:57AM (#14325668)
    The Windows worlds most widely deployed AV solution uses MSHtml to render it's GUI, that doesn't exactly inspire faith in symantec products. Security products should do one thing well, the very concept of the all encompassing consumer 'security' application suite is flawed and yet almost every Windows desktop security product has additional 'features'.

    Computer security is not availiable in click-wrapped form, it's about time that companies stopped marketing software as some cure-all for lack of user education.

    • The Windows worlds most widely deployed AV solution uses MSHtml to render it's GUI, that doesn't exactly inspire faith in symantec products.

      Why not? Do you think Symantec is going to generate malware HTML to exploit a hole in IE? Get real. Symantec is in total control of the HTML that they generate for display by MSHtml.
      • What if a virus creates a file on the filesystem called ``<a href="path/to/malware">Get an update</a>''? If that's passed directly into an HTML viewer, then the user will see that he needs to get an update -- only to be infected with a virus.

        Not that that's MSHTML's fault -- it would be Symantec (or whoever) for not writing good code. However, you should make it easy for yourself to write secure code, not hard. If it's easy, you have a better chance of getting it right.

    • Re:Morons (Score:3, Insightful)

      by jayloden ( 806185 )
      Tell me about it. No more ability to scan in Safe Mode, no ability to run at all if the IE security settings are jacked up, and if mshtml is exploited, then Symantec's products are screwed.

      Whose brilliant idea was it to make an HTML GUI for a *security* product using libraries from the system that are easily compromised by unrelated events (IE security levels)?

      Right around the time they started with that was when I stopped recommending their products and started recommending AntiVir [free-av.com].

  • Symantec lost it a long time ago (Score:2, Interesting)

    by Anonymous Coward
    Our info security dept have advised us NOT to use Symantec AV products on our home PCs because, in their experience, they just don't work very well against a lot of the current crop of malware. You might as well use AVG [grisoft.com] and save the money. Norton AV also gets deep into a PC and is difficult to uninstall cleanly.
    • Why does symantec suck so bad these days? I used to use Norton Utilities with MS-DOS, before windows 3.0 came out. I thought NU was great. I've been buying symantec systems works every year, except 2005. It started to suck too much. Now, I don't even use systemworks 2004, I prefer 2003.

      I haven't seen squat for innovation in years. It is if they don't put any effort into it. It's just the same old product re-hashed, only it sucks worse.

      Maybe symantec is just putting all of their effort into the enterprize se

      • Re:What happend to Symantec? (Score:1, Informative)

        by Anonymous Coward
        Why does symantec suck so bad these days?

        Hmm, good question. Let's see what else you said:

        I haven't seen squat for innovation in years. It is if they don't put any effort into it. It's just the same old product re-hashed, only it sucks worse.

        Wow, sounds bad. Why wouldn't Symantec improve their product? Oh, wait, you also said:

        I've been buying symantec systems works every year

        Ah, I think you just answered your own question...

  • like it wasn't bad enought before (Score:5, Interesting)

    by phntm ( 723283 ) <phan70m@gma[ ]com ['il.' in gap]> on Friday December 23, 2005 @06:09AM (#14325696) Homepage Journal
    i'm a netadmin on an irc network and i've seen many zombie botnets, most of them are running "up-to-date" symantec antivirus products and feel safe while behind their backs their systems keep ddosing and hogging bandwith.
    symantec doesn't make me feel safe for sure.

  • Avast (Score:3, Informative)

    by DavidHOzAu ( 925585 ) on Friday December 23, 2005 @06:12AM (#14325701)
    http://www.avast.com/ [avast.com] Just one more reason to stick with the free (as in beer) stuff.
  • Any flaw like this is going to catch some people eventually, because they won't have updated their software for whatever reason. So that's bad news. The good news is that at least Symantec have acknowledged the problem and are taking steps to deal with it, rather than trying to hide things.

    None of this is going to make me like Symantec and its dog-slow products, but it hardly seems that big a deal. If say an open-source outfit like clamav had announced a bug it would hardly merit headlines. Going with Wi
    • Anyone currently using Norton is most likely receiving weekly or daily updates. How many companies do you know who try to update their AV software more than once a day? I work in many corporate and enterprise networks where they are pulling updates directly from Symantec's FTP server instead of waiting for LU in the hopes of avoiding the next big attack.

      With that in mind, how hard will it be for Symantec to release a fix?

      Any one who is not pulling updates at least weekly is completely vulnerable to a host

  • buffer overflow in unrar? (Score:5, Interesting)

    by wolf550e ( 940957 ) on Friday December 23, 2005 @06:21AM (#14325725)
    Does anyone know if Symantec wrote their own unrar library that is insecure or have they used Roshal's free code which was probably known to be insecure and someone just discoverd they didn't bother to fix it before including in their products?
    • They appear to have written their own rather than using free RAR code, and I say this because they had a bug in previous incarnations of DEC2RAR.DLL (up to version 3.2.12.11) that I spent much effort trying to get them to fix almost exactly one year ago. It could not understand RAR archives, both standard and self-extracting, created by RAR versions 1.5x. The process and thus the antivirus would crash when trying to unpack them without any error being displayed or logged. This didn't affect Corporate Editio

  • Tell uniformed users what AV can & can't do (Score:5, Insightful)

    by Quirk ( 36086 ) on Friday December 23, 2005 @06:30AM (#14325742) Homepage Journal
    I stopped using Symantec Products when I moved on from Windows 98 as a multimedia/game/web OS. Symatec products burrowed too deep into the OS, were impossible to elegantly uninstall, and, the Norton Tool set really wasn't as necessary as it once was.

    I figured Peter had unfolded his arms, dressed in a dinner jacket, and, gone out to celebrate having become one of the nouveau riche.

    My biggest beef is not with the AV makers, but, rather, with the retail sales people who sell AV software and tell unknowledgeable buyers that their system is now protected against all malware, because, superduper AV ware scans everything before you use it and ensures no malware can execute.

    I try to explain to people that AV is alot like a flu shot. It's good enough to give you some protection from the bugs we know are out there but is ineffective against the new, bad stuff coming down the pike.

  • Wait wait wait... (Score:5, Funny)

    by Spazholio ( 314843 ) <slashdot@le[ ].net ['xal' in gap]> on Friday December 23, 2005 @06:30AM (#14325743) Homepage
    Fuck this "buffer overflow" crap. You mean to tell me RAR actually stands for something?

  • only version 10.x of Corporate Edition ... (Score:4, Insightful)

    by Anonymous Coward on Friday December 23, 2005 @06:37AM (#14325756)
    So according to the Symantec advisory [symantec.com] the vulnerability is only present in version 10.x of the Corporate Edition. And there I was, thinking it was about time to upgrade from 8.1 that we're running at work ... not anymore!
    • Don't. 10 is shit - especially if you run slower computers. The resident scanner is a memory pig and slows machines down significantly. Also, if you have win2k boxes with office 2k, it breaks the install and constantly wants the users to insert the installation medium.
      We had a ball of fun upgrading to 10.
  • In this scenario,how reliable is AVG Antivirus from Grisoft? I've heard its good?
    Can it be used as a alternative to symantec?
    • Not at all, trend micro/mccafee/kesperski are the only real choices for windows boxes, pick the one you like/are fan of :)
      • Although I don't agree with your opinion about AVG, I do agree to all your alternative solutions you mentioned. I've been using all 4 (at the same time mind you....) and I have never received an email with a virus attached that I've opened and gotten a virus with all those installed.

        Now the getcha point is when I send email, everyone else tells me I'm sending viruses. Sheesh when will people learn, that what I send them is crap anyways.

        Ok, the real reply. I do like your list of alternative
        • A good indicator of the current standing of AV products (and it rings true from personal cleanup of around 10 virus infected machines a week, most of which have anti virus solutions installed) is http://overclockers.com/articles1260/ [overclockers.com]

          Interesting thing of note, trend micros online "housecall" virus scanner is now a fully java implemented scanner AND remover of viruss and adware. Finally a cross platform FREE quick scan that will find 99 out of 100 new virus infections :)

          Also, are you refering to AVG "free" or

  • Return of.. (Score:2, Interesting)

    by Egregius ( 842820 )
    Return of the virusses that activate when scanned over. Last time this happened was in..what? The eighties? I always wondered how it was possible for code to become active when scanned over, but now that I do, I really have to frown at this.

  • Why AV Is Innefective from Malware POV (Score:4, Informative)

    by TheUncleD ( 940548 ) on Friday December 23, 2005 @07:48AM (#14325877)
    Coding or I should say, 'Encoding has come a long ways.' - Crackers and bot programmers have become increasingly smarter, realizing how programs such as Norton scan through software programs that are "bots" are in order to detect ones which they consider viruses. To understand how the latest virus writers are avoiding detection, you must understand the concepts of randomization, encoding, compiling and packing.

    A normal software program compiled has strings in it which can be matched when scanned through. It examines what are known as string literals. There are even some programs for certain compilers that exist to recreate source code from compiled programs but that is a tangent. What we're dealing with here are encoded strings. If Norton knows how to match a program exactly based on certain strings it can match in the software, it can detect it in all cases, bot discovered, no more botpack.
    Here's what the smart botpack coders are attempting to do and in many cases doing effectively: They understand that Norton can scan their compiled bot, once it knows the strings to look for inside of it, and release in its Liveupdate a way for all people infected to remove it. Given this, they must either constantly compete with Nortons LiveUpdate's or find another method. If they are savvy enough or greedy enough, they'll find a way to have coded a packer which encodes uniquely every time it packs. For more information on packing in relationship to viruses, its in the field of Anti-Virus Heuristics. A very well known packer is UPX which you can search for and find more about. Many modifications of this packer exist. Essentially a bot"packer" is packing their bots uniquely, obscuring the strings from norton with every pack, meaning every bot appears unique and cannot be identified from any other bot. Of course, bots would probably have unique names or be titled something normally running on a machine such as svchost.exe as a process. This is the common trick and until AntiVirus makers can either employ programmers who can outsmart the encoding schemes these packers are using or users smarten up, its a tough situation for all who download anything from an untrusted source (someone besides your grandmother - and even then!).

    • Re:Why AV Is Innefective from Malware POV (Score:1, Informative)

      by Anonymous Coward
      It examines what are known as string literals. ...

      What we're dealing with here are encoded strings. If Norton knows how to match a program exactly based on certain strings it can match in the software, it can detect it in all cases, bot discovered, no more botpack.

      Not quite. There are many more characteristics of a binary that AV programs can use to create a signature. I can't really discuss them specifically, but string literals are really low-hanging fruit. AV programs will frequently look for specific
      • What if the program is encrypted and/or compressed with a proprietary algorithm? In that case, there isn't really much to match against, except the decryption code itself. However, this is such a small part of the overall program that it would be difficult to key on that part... which may itself be polymorphic to some degree. Or it may be an "official" decompressor such as UPX, and keying on it will raise too many false positives.

        So the AV program is stuck with executing the decrypting or decompressing cod

        • What if we encrypted our virus with a random encryption, and only the decrypter could be scanned for? Well, if we did that, we'd be doing what viruswriters were doing late eighties/early nineties. What ever came of it? Anti-virus writers outsmarted the viruswriters, by actually scanning for the decoding pieces or patterns in the code that indicated certain types of encryption.

          Now we're slightly further down the road, and we moved from encrypted to oligomorphic (weak polymorphism) to polymorhpic to metamor
  • So you're telling me, that my ENTIRE college, with the world's stupidest tech department, is forced to rely on symantec corporate edition..... All because it's supposed to STOP the viruses. Will someone PLEASE tell me how this is helping now?
    • Yup, the timing couldn't be better! A few nice days for the virus writers to send out some exploits over the holidays, workers comes back January 3 - PCs powered off over the break and not updated - and check their email first thing. Ought to be an *interesting* new year.
      • I suppose the only way this could be better if the college also forced EVERYONE to have SP2 with their windows.... AND most don't have spyware.

  • If I was to invent a new virus scanner right now, I would make sure all my decompression and scanning code runs in some managed environment, like a .NET/Mono runtime or as Java bytecode.

    Christian
  • From the Symantec advisory:

    "Only currently supported Symantec Products will be updated. Customers using unsupported versions are encouraged to upgrade to a supported version."

    In the end, this could turn into a win for them. Everyone lagging behind on affected products will have to shell out for the upgrade.

    I bet we won't see any of those "free after rebate" deals for a while...

    -bitrot-

    • On a production mega corporation network with server counts in the thousands this isnt a walk in the park. I was sure when I checked which revisions were vulnerable ( that I care about ) and Corporate Edition 8 + 9 are listed as 'unaffected' Very curious. Although Corporate Edition 10 does have a publicly downloadable patch listed. Glad I am not in the middle of an upgrade to CE V10.
  • Doesn't yahoo, or msn use Norton AV as its scanning engine? I imagine the same flaw exists unless the enterprise av engine is vastly different from the person av engine.
  • I don't have the bulletin at home and I'm not at work or I'd post a link but this isn't as bad as it sounds. The virus definitions as of 12/20 detect the malformed RAR files as a heuristics detection so as long as your definitions are 12/20 or newer, you should be mostly safe.
  • Buffer overflows and other security issues are a dime a dozen. Just subscribe to Secunia's [secunia.com] RSS feed [secunia.com] to see that.
  • Every time I get to fix a machine, it is one that other people tried and couldn't fix. In all cases, the machine is running up to date Norton or Mcaffee scanners.

    Consequently, the first thing i do, is uninstall all anti-virus crap, then reboot into safe mode and install my trusted utilities: Anti-Vir, Spybot S&D, Adaware and Hijackthis from a CDROM containing the latest updates.

    Lately however, I have run into the Smitfraud-C piece of work. This thing requires a dedicated remover called Smitrem, otherw
  • Further Proof to management that keeping attachments @ 5mb was a great idea.

Slashdot Top Deals

"Once they go up, who cares where they come down? That's not my department." -- Werner von Braun

Close