Forgot your password?
typodupeerror
Security Bug

Symantec Antivirus May Execute Virus Code 388

Posted by Zonk
from the antivirus-not-so-anti dept.
An anonymous reader writes "Symantec has admitted that a serious vulnerability exists in the way its scanning engine handles Ultimate Packer for Executables. According to a ZDNet article, this means the scanner would execute the malicious program instead of catching it. Tim Hartman, senior technical director for Symantec Asia Pacific, said: "A vulnerability is not a vulnerability till somebody discovers it but because this is now known, somebody could craft an e-mail, mass mailer or a virus that takes advantage of it. It affects our firewalls, antispam, all the retail products and the enterprise products as well"" Symantec recommends you immediately patch your software.
This discussion has been archived. No new comments can be posted.

Symantec Antivirus May Execute Virus Code

Comments Filter:
  • by dtfinch (661405) * on Thursday February 10, 2005 @11:37AM (#11630326) Journal
    "No updates available for this product."

    I've checked several versions, starting with the corporate edition which we use.
    • by mrighi (855168) on Thursday February 10, 2005 @11:40AM (#11630377) Homepage
      That's because they gave out the wrong link. What they really meant to say was, "Symantec recommends you immediately patch [mcafee.com] your software."
    • Perhaps the patches were released in yesterday's (2/9/05) update that I got?
    • by Anonymous Coward
      RTFA, If you are using LiveUpdate, it already installed it.
    • by Anonymous Coward on Thursday February 10, 2005 @11:46AM (#11630473)
      Symantec has known about this, and they've been rolling out patches in the latest builds and maintenance releases for a little while. If you've been running liveupdate and no updates are available, you're good to go. The list of vulnerable and nonvulnerable builds is available on the Symantec advisory.
    • by Sethb (9355) <bokelman@gmail.com> on Thursday February 10, 2005 @11:53AM (#11630596) Homepage
      If you're running Corporate Edition, you won't be getting the patch via LiveUpdate. You need to call their tech support line with your serial number or contact/contract number, and they'll give you the information (FTP site and password) for obtaining the 9.0 MR3 update for SAV Corporate Edition. This updates the software to version 9.0.3.1000

      Some of the earlier Maintenance Releases aren't vulnerable either, but MR3 is the newest. If you're still on vanilla 9.0.0.338, you need to update ASAP, the same applies if you're on the update revision that made SAV CE work with the Windows SP2 Security Control Panel, version 9.0.0.1400.

      Since it's "Corporate Edition", Symantec assumes that you're managing these desktops and wants to control when you push patches to them, so now you get to do just that. :) The good news is that you can use the remote client installer to just lay the new version over the old one via the network (or push a new .msi file via Group Policy, or run the update in a login script). Make sure you upgrade your servers before doing the clients, Symantec (or at least the rep I talked to) suggests completely removing the server (via add/remove programs) and installing the new version, not merely doing an upate.
    • Re:Corporate Edition (Score:2, Informative)

      by Anonymous Coward
      The support engineer that I spoke with today stated that even though we have gold support you don't get notified for anything except "major . releases".

      I had been complaining that I've been trying to get 9.0.3 for a couple of days now and customer support was a runaround and why can't I get updates like I should be.

      He then told me that the MR packs are "not available unless you call tech support".

      I then spent 15 minutes on the phone to customer service without speaking to anyone and hanging up.

      He at lea
    • The linked article states that:
      Symantec is distributing patches to its customers through its LiveUpdate automatic update service and other mechanisms. It warned companies that do not use those services to download the patches from its Web site and apply them as soon as possible.

      So users with LiveUpdate should use tool to handle updates. BTW, my LiveUpdate didn't install any client patch. yet.
    • by sigaar (733777) on Thursday February 10, 2005 @12:01PM (#11630739)
      Would it matter? Symantec's antivirus products are getting shittier by the day. I've lost count of the times that I go to a first time client who's complaining their computer is behaving "funny."

      I sit down in front of the computer, and I can see it's infected with something. The signs are the, writing is on the wall. But norton/symantec enterprise, updated and all, is telling me it's clean. So I download McCaffee Stinger or BitDefender's free scanner, clean the Machine out, and sell something better to them.

      Case in point. I have a client who's ISP is running Symantec antivirus gateway on the ISP side. Behind that gateway, I've got a postfix box with amavis-new and clam, h+bedv and bitdefender scanners. You won't believe the amount of virusses I still catch, stuff that make it through symantec's waste_of_cpu_cycles_software.

      Symantec was the good stuff back in the good old DOS days. Now they're baking in their former glory, but they're loosing business and I'm happy so see them burn if they don't get off their butts and start improving their software.
    • You are correct. The article is misleading. Not all symantec products are vulnerable. Go here [symantec.com] to see if your product requires the update.

      Luckily my product here at work does not require the update. I will however have my qmail/ClamAV mail router filter out UPX files as a precaution.
  • by Dancin_Santa (265275) <DancinSanta@gmail.com> on Thursday February 10, 2005 @11:37AM (#11630333) Journal
    I use AVG on all my company systems and can say that in addition to being free, AVG provides the best anti-virus protection around. After F-Prot started losing ground to Windows-based scanners, AVG has done a remarkable job in stepping up to the plate.

    AVG, free and worry free. (This was not a paid endorsement)
  • huh? (Score:5, Insightful)

    by justforaday (560408) on Thursday February 10, 2005 @11:38AM (#11630336)
    "A vulnerability is not a vulnerability till somebody discovers it..."

    Huh? So if someone inadvertently takes advantage of a vulnerability, it's not really a vulnerability because they didn't explicitly know they were taking advantage of it?
    • Re:huh? (Score:5, Funny)

      by pegasustonans (589396) on Thursday February 10, 2005 @11:43AM (#11630415)
      No, you've got it all wrong. The person didn't actually exist, and all of the people who thought about the person existing didn't exist either. And all of the people who thought the person might or might not exist, but probably didn't, and should therefore be disregarded, were very clever and were hired by anti-virus companies to do their PR for them.
    • Re:huh? (Score:3, Funny)

      by LourensV (856614)
      I think he is a quantum physicist...
    • Re:huh? (Score:4, Insightful)

      by drinkypoo (153816) <martin.espinoza@gmail.com> on Thursday February 10, 2005 @11:49AM (#11630530) Homepage Journal
      Yeah, I don't even have to RTFA to know that this guy is a complete idiot. Anyone who is willing to say that has his head so far up his ass that he can look out of his own nostrils. If there's a weakness in, say, the breastplate of a suit of armor, it's a vulnerability. If you get hit there, you are more likely to die. It doesn't matter if someone knows about it or not. Granted there is a serious problem with that metaphor in that you typically don't exploit problems by accident, but it seems highly likely to me that someone actually IS exploiting it out there, and that's why they discovered the hole in the first place. Symantec is not exactly known for having the highest-quality virus scan tool out there, although I do like their corporate version. Still, their software is full of bugs and inconsistencies (some places ^A works, some places it doesn't, for example) and it has been always thus.
    • Re:huh? (Score:3, Interesting)

      by cronius (813431)
      I second that. What an incredibly stupid statement. Like as if they are the ones deciding what is known and what isn't, like as if they must know more than anyone, so if *they* don't know, nobody does.

      I mean, why do viruses exist in the first place? Is it because they exploit open, known vulnerabilities? Or is it because crackers *find* vulnerabilites to exploit?

      Talk about stupid.

    • > > "A vulnerability is not a vulnerability till somebody discovers it..."

      > Huh?

      Sir Lancelot: "I hate to go into battle with this big f*ing hole in my chainmail, but fortunately my tabard will hide it."

    • Re:huh? (Score:2, Insightful)

      by Broiler (804077)
      If a tree falls in the woods and no one is there to hear it, does it make a sound?
    • Re:huh? (Score:3, Insightful)

      by gryfen (853155)
      Of course! It's the standard corporate PR stance regarding vulnerabilities:
      The User of Our Software May Feel Secure, because:
      (1) Any bugs which may or may not hypothetically exist in our software do not *actually* exist until someone publicly blows the whistle (refer to the cat in the box)
      (2) The whistleblower is actually the one to blame for the insecurity existing, not our poor coding and software testing standards.
      (3) Ignore the [H,Cr]acker Behind the Curtain who may or may not have discovered the hyp
  • by ral315 (741081)
    May I be the first to congratulate our executable overlords!
  • http://fedora.redhat.com/
    • Thanks. Now, can you explain how my company is to quikly move all of thousands of employees and all of our internal Windows-based applications to redhat in the next 24 hours?

      • Thanks. Now, can you explain how my company is to quikly move all of thousands of employees and all of our internal Windows-based applications to redhat in the next 24 hours?

        Amphetamine.
      • With diskless netboot..
      • quick! (they are still accepting questions)

        ask this guy http://interviews.slashdot.org/article.pl?sid=05/0 2/09/1226200&tid=201&tid=11&tid=106 [slashdot.org]
      • Yes, and it would only cost you half of what it would cost to move from Linux to Windows.
      • by Dav3K (618318)
        Given the current business risk of operating on a virus-encumbered operating system like windows, it surprises me that a plan to transition employees has not already been started. Unless of course, the occasional couple of days of downtime is an acceptable business cost. Really, if you factor in the additional costs of running windows over running JUST ABOUT ANY OTHER OS, you could easily make a solid business case to at least INVESTIGATE the possibility of running on a more secure OS. I am sure you will fi
        • My company already has a plan and fully intends to move to Linux. Unfortunately, as my post indicates, moving all of our employees and all of our applications will take a long time. As of June, 2004, we were shooting for 18 months. At this point, I think we will miss that deadline.

          In short, the reality of this migration is smacking us right in the face.

    • by Mant (578427) on Thursday February 10, 2005 @12:20PM (#11631067) Homepage

      If you would RTFA:

      Computers are at risk if they run an unpatched version of a Symantec product that scans files to detect malicious code and if they use the Microsoft Windows, Mac OS X, Linux, Solaris and AIX operating systems, Symantec said.

      This isn't an OS problem, this is an application problem.

      Of course hackers are less likely to write something that runs on a non-Windows OS, but the flaw isn't fixed by moving from Windows.

  • Damn! (Score:3, Funny)

    by JanneM (7445) on Thursday February 10, 2005 @11:39AM (#11630355) Homepage
    No time to waste! Systems may already be infected, so better get offline immediately, review what installed software is at risk and start figuring out a way to get the patches... no, wait, I run linux.

    Wonder what's on TV tonight?
    • Re:Damn! (Score:2, Funny)

      by spiffyinferno (832679)
      "Wonder what's on TV tonight?" I believe you can catch the systemic failures of windows pc's everywhere in primetime- with a Bill Gates wardrobe malfunction at the break.
    • Lost for me. Not sure if you live in Sydney like I do, but if you do, I've made today's vulnerability tragedy just a little better.
    • Re: Damn! (Score:3, Funny)

      by Black Parrot (19622)


      > no, wait, I run linux. Wonder what's on TV tonight?

      Switch to Gentoo and you'll have something to do tonight.


    • Linux Is Vulnerable (Score:3, Informative)

      by rsmith-mac (639075)
      I know the OP was just trying to be funny, but seriously, from TFA:

      Computers are at risk if they run an unpatched version of a Symantec product that scans files to detect malicious code and if they use the Microsoft Windows, Mac OS X, Linux, Solaris and AIX operating systems, Symantec said.

      So as unlikely as it is that many Linux users are using a Symantec product, or that someone will target a Linux box, anything that is running a scanner(such as an email server) is vulnerable. Everyone needs to patch on

  • by Anonymous Coward
    if you went in for an STD test and they gave you herpes!
  • The UPX license expressly prohibits modifying exes after they've been compressed.
  • Because it proves that tool vendors are really some of our worst enemies and closed source tool vendors are the worst of all.

    They have their hand out day after day for maintenance and updates and yet never REALLY bother to check if their own crap is working correctly.
  • Just another reason to go to free anti-virus software, such as AVG or Avast. I have removed Norton from all my personal computers and replaced them with Avast.

    I just wish big corporations would realize that by using Norton/Symantec, that they are using the most targeted [by antivirus-disabling viruses] antivirus software out today.
    • by Pionar (620916) on Thursday February 10, 2005 @11:57AM (#11630661)
      Yada yada yada.

      Well, because AVG and Avast are free, they're less vulnerable, right?

      Bullshit.

      I like the hypocrisy of people criticizing Symantec's guy for touting security through obscurity, then turning around and preaching it themselves.

      And I'd like to see how these things work in a corporate environment. Oh, wait. They don't.

      Symantec has excellent corporate support and management features.
      • NAV isn't exactly the best AV out there...

        I've lost count of the number of viruses that have been caught by AVG and missed by Norton... they only seem to push updates every few days which leave a huge propogation time for the viruses.

        Just this week I had an instance of Norton physically corrupting a file.. Sometimes I wonder if they test their software at all.
        • I never said it was the best, but it's the best in a managed environment. And please tell me you don't run two AVs at the same time, that'd be retardulous.
      • Symantec has excellent corporate support and management features

        True.

        If only it had excellent anti-virus features to go with them.

  • by Jeff DeMaagd (2015) on Thursday February 10, 2005 @11:41AM (#11630394) Homepage Journal
    Come on! A cardboard door is not a vulnerability until someone figures out how to get it wet?!
  • by Anonymous Coward on Thursday February 10, 2005 @11:42AM (#11630403)
    Like all talking heads the guy didn't think before opening the mouth. The problem is this : you don't know if anyone had previously found this vulnerability. So you can't say it wasn't a vulnerability before *you* found it or before it was reported to *you*. The are unknowable numbers of unknown vulnerabilities and known numbers known vulnerabilities. You cannot know the size of the unknown set -- even if it is in reality the empty set.
  • Sheer brilliance (Score:5, Insightful)

    by stinky wizzleteats (552063) on Thursday February 10, 2005 @11:43AM (#11630414) Homepage Journal
    From TFA:

    A vulnerability is not a vulnerability till somebody discovers it

    So that's how security works! Supress knowledge of the problem!

    It's nice to see that Symantec's corporate culture hasn't changed very much since the days when Peter Norton thought computer viruses were an urban legend.
  • by Mmm coffee (679570) on Thursday February 10, 2005 @11:43AM (#11630416) Journal
    You know all those idiotic flamewars that spring up whenever the "irony" tag is used?

    Once and for all - THIS is irony. You can shut up now.
  • OMFG. Who would say it's not a vulnerability until it's known? Known by whom? If a black-hat knows, and shares it quietly with other black-hats, thi scould be devastating without ever being "known." This is security by obscurity, except it isn't well obscured.

    Or did Symantec know, and just not mention it to their customers (so it wasn't "known") ?
  • by JessLeah (625838) on Thursday February 10, 2005 @11:43AM (#11630436)
    "A vulnerability is not a vulnerability till somebody discovers it." This sort of rubbish is a rather amusing reflection of corpthink.

    It's rather like saying "A law of Physics isn't a law of Physics until somebody discovers it."

    A vulnerability is a vulnerability, period... meaning that something is vulnerable. Whether or not anyone's yet realized it's vulnerable is another story.

    If you didn't put a lock on your door, would it "not be unlocked" until someone came by and realized that the door lacked a lock?
  • Surprisingly honest (Score:5, Interesting)

    by phorm (591458) on Thursday February 10, 2005 @11:45AM (#11630453) Journal
    I'm actually quite surprised that Symantec posted the notice about this publicly, rather than simply including an update in its next online patch.
    br Definately a bad vulnerability, but kudos for being honest about it. I wonder though how liable they are to damages... not good when antivirus software actually ends up trigging the infection.
  • AVG and Anti-Vir (Score:2, Interesting)

    by dlZ (798734)
    Everytime I see a machine come into my store with a Symantec or a McAfee product I recommend a better solution. Running AntiVir or AVG on a machine with either product will almost always produce a large list of positives, even if they are spyware related trojans just waiting to be run to download tons of crap. But then I also recommend and will install Firefox (or another mozilla based browser) on anyones machine. Machines with Firefox tend not to come back broken 2 days later.

    This doesn't surprise me
  • by devphaeton (695736) on Thursday February 10, 2005 @11:50AM (#11630549)
    ....Norton Antivirus/Internet Security is the biggest piece of shit excuse for security software EVAR. It is poorly designed, poorly implemented, always breaks, and the only fix is "please reinstall NIS".

    Now they're getting into spyware/adware removal, and Norton will always find stuff, but when trying to deal with it it just gives a 'delete failed' message and that's it. And it will continue to nag you about things it finds.

    People who don't know anybetter see these displays in best buy, and believe the hype and go home and install this paranoiaware. If it is NIS it promptly breaks their internet connection and screws up their email client. If they call symantec for help in configuring, symantec will refer them to their ISP.

    What a bunch of fucks. Color me mofo, but i'm telling people to uninstall NIS these days (and the funny thing is that complete removal often requires registry hacking). It's more trouble than it is worth. Tech support is bad enough without this crap.
    • NAV/NIS - I hate them too, with a passion, maybe not as much passion as you, but I HATE THEM. I use avast ( www.avast.com ) - it's free, and WORKS.

      I paid for NAV2004 (or whatever) and registered/activated it and it promptly broke, I uninstalled it and guess what? I had to reactivate it and call them on the phone! After not being able to do this bc it was a weekend, I waited on hold for an hour on Monday and promptly gave up in disgust. So I let my pay-version of NAV go unused and instead use Avast now.
  • by Anonymous Coward
    #!/bin/sh
    echo Scanning...
    for file in `find /`
    do
    sudo $file
    if system_still_running
    then
    echo File $f OK
    fi
    done
  • by Talian (746379) * on Thursday February 10, 2005 @11:53AM (#11630589)
    Got this link from Platinum support. UPX Parsing Engine Heap Overflow [sarc.com]

    It provides a bit more information on the specific builds that are a problem. Affects a great deal of their software.
  • keep it simple (Score:2, Interesting)

    by oreaq (817314)
    • Every software has bugs.
    • Some of the bugs are security related.

    If you want to have a secure system you have to use less software, not more. Virus scanner et al are part of the problem, not part of the solution.

    "A designer knows he has achieved perfection not when there is nothing left to add, but when there is nothing left to take away." -- Antoine de Saint-Exupery
  • More details here... (Score:5, Informative)

    by Otto (17870) on Thursday February 10, 2005 @11:55AM (#11630637) Homepage Journal
    http://www.symantec.com/avcenter/security/Content/ 2005.02.08.html

    The gist of it is that there is a heap overflow in a part of the Symantec antivirus engine that they call DEC2EXE. This is a decoder for compressed executable files. The idea is that you have to decompress it to scan the thing, this module does the decompression.

    So a carefully crafted EXE file could overflow part of this code and cause arbitrary code execution.

    This module isn't just in Norton Antivirus, BTW, it's in a heck of a lot of Symantec Antivirus products. So if you're running any Symantec anti-virus product, not just the home consumer stuff, you might want to head over there and get a patch.
  • by OverlordQ (264228) on Thursday February 10, 2005 @11:59AM (#11630687) Journal
    It's not like FOSS haven't had their share of local arbitrary code execution exploits before.
  • For all their pandering and pushing paranoia-ware, i sometimes suspect that maybe, just possibly, some of these worms that get released might come from Symantec themselves.

    Call conspiracy theory if you want, but it seems that with a lot of the "good" worms, Symantec is the first to announce it, and they've got a full analysis of what it does, how it works, what it's written in, etc, even if they claim the worm has only been "out" or "released" for 12-24 hours. This includes details that might be hundreds
  • ...until someone discovers it?

    Not a good way to think. That's like saying Iran having nukes isn't a concern becuase we haven't uncovered any direct evidence. The idea is to expose the vulnerability so you can do something about it.
  • by Anonymous Coward
    Did Microsoft buy out Norton last week?
  • "A vulnerability is not a vulnerability till somebody discovers it" - Tim Hartman / Symantec

    Hartman is saying a tree falling in a forest with no one to hear doesn't make a sound (actually, it makes the sound of one hand clapping). The severe problem with his philosophy as security corporation policy is that they don't know when it's discovered by someone. Saying it's only been discovered now that it's been published is a total misstatement of actual security: you have to assume that any hole is vulnerable
  • You can download the patch here [linuxiso.org]
  • Deja vu... (Score:4, Informative)

    by Spy der Mann (805235) <spydermann DOT slashdot AT gmail DOT com> on Thursday February 10, 2005 @12:12PM (#11630921) Homepage Journal
    Around 1994, the NATAS virus stormed computers all around the world. It was the first polymorphic virus. And it was undetectable with traditional means (didn't alter the exes' CRC).

    McAffee released a new (experimental?) version of their antivirus, so that it would clean NATAS. Unfortunately, sometimes if you pressed CTRL-C, part of your programs' code would execute randomly (later, they released a completely different version, which effectively cleaned NATAS and similar viruses, without having such nasty bugs).

    Frankly, this execute-to-test-for-viruses was always a bad idea. I don't know why Symantec fell into that. Unless of course, it's more like a buffer overflow, which is understandable.
  • Or... (Score:4, Informative)

    by The Spoonman (634311) on Thursday February 10, 2005 @12:30PM (#11631206) Homepage
    Symantec recommends you immediately patch your software

    Or, you can fire your mail admin for allowing executable files to even get to the point where they need to be scanned and get one that knows what they're doing. Your incoming SMTP should be rejecting any e-mail that has one, why bother scanning it? There are ways that were designed for transporting these things, e-mail was not it!

    And, remember: when bitching about this, make absolutely sure you're loudly and clearly proclaiming this to be the fault of MS or Symantec. Otherwise, you run the risk of someone actually placing the blame where it really belongs: with the administrator who shouldn't have been affected by this in any way.
  • by zerofoo (262795) on Thursday February 10, 2005 @12:58PM (#11631608)
    I just got off the phone with my symantec rep, and he says any corporate edition anti-virus product 9.0.1.1000 or newer is not affected.

    Anyone with a valid license can go to Symantec's fileconnect website and download the newest version.

    -ted
  • by jmole (696805) on Thursday February 10, 2005 @01:01PM (#11631650)
    Here are some helpful resources on Virus Scanner tests if you can't decide which one to use:

    http://www.virusbtn.com/vb100/archives/products.xm l? [virusbtn.com]
    http://www.pcworld.com/reviews/article/0,aid,11593 9,pg,5,00.asp [pcworld.com]
  • by Jesus IS the Devil (317662) on Thursday February 10, 2005 @02:04PM (#11632600)
    Norton Antivirus has been the biggest pile of $hit AV I've ever used. It routinely misses well-known trojans/viruses. I've gotten my system infected twice in the past by simply visiting a page in IE. Norton just shut down and my system got infected. Doing a free scan at housecall.trendmicro.com, Trendmicro was able to detec the virus easily. Norton just kept telling me no virus was found.

    Stay far away from Norton. It's worthless.
  • by podperson (592944) on Thursday February 10, 2005 @02:06PM (#11632630) Homepage
    A couple of days back they rated a hack that could theoretically forge you root access to a Mac OS X box if you (a) already had an account and (b) had physical access to the machine as 6.9/10.

    Now we discover (really not surprisingly) that they themselves are a vector.

"When it comes to humility, I'm the greatest." -- Bullwinkle Moose

Working...