Symantec Antivirus May Execute Virus Code

An anonymous reader writes "Symantec has admitted that a serious vulnerability exists in the way its scanning engine handles Ultimate Packer for Executables. According to a ZDNet article, this means the scanner would execute the malicious program instead of catching it. Tim Hartman, senior technical director for Symantec Asia Pacific, said: "A vulnerability is not a vulnerability till somebody discovers it but because this is now known, somebody could craft an e-mail, mass mailer or a virus that takes advantage of it. It affects our firewalls, antispam, all the retail products and the enterprise products as well"" Symantec recommends you immediately patch your software.

Immediately patch? Really?

[dtfinch]

"No updates available for this product."

I've checked several versions, starting with the corporate edition which we use.

Better than just free

[Dancin_Santa]

I use AVG on all my company systems and can say that in addition to being free, AVG provides the best anti-virus protection around. After F-Prot started losing ground to Windows-based scanners, AVG has done a remarkable job in stepping up to the plate.

AVG, free and worry free. (This was not a paid endorsement)

Re:Better than just free

[Zlib pt]

"I use AVG on all my company systems and can say that in addition to being free"

On http://free.grisoft.com/freeweb.php/doc/2/ [grisoft.com]

"Use of AVG Free Edition within any organization or for commercial purposes is strictly prohibited."

Re:Better than just free

[Trigun]

I thought that it was free for personal use only.

What company do you work for again?

Re:Better than just free

[Dot.Com.CEO]

I hate to break this to you but avg is NOT free in a commercial environment.

Re:Immediately patch? Really?

[Anonymous Coward]

RTFA, If you are using LiveUpdate, it already installed it.

Re:Immediately patch? Really?

[Anonymous Coward]

Symantec has known about this, and they've been rolling out patches in the latest builds and maintenance releases for a little while. If you've been running liveupdate and no updates are available, you're good to go. The list of vulnerable and nonvulnerable builds is available on the Symantec advisory.

Actual Vulnerability Link

[Talian]

Got this link from Platinum support. UPX Parsing Engine Heap Overflow [sarc.com]

It provides a bit more information on the specific builds that are a problem. Affects a great deal of their software.

Re:Immediately patch? Really?

[Sethb]

If you're running Corporate Edition, you won't be getting the patch via LiveUpdate. You need to call their tech support line with your serial number or contact/contract number, and they'll give you the information (FTP site and password) for obtaining the 9.0 MR3 update for SAV Corporate Edition. This updates the software to version 9.0.3.1000

Some of the earlier Maintenance Releases aren't vulnerable either, but MR3 is the newest. If you're still on vanilla 9.0.0.338, you need to update ASAP, the same applies if you're on the update revision that made SAV CE work with the Windows SP2 Security Control Panel, version 9.0.0.1400.

Since it's "Corporate Edition", Symantec assumes that you're managing these desktops and wants to control when you push patches to them, so now you get to do just that. :) The good news is that you can use the remote client installer to just lay the new version over the old one via the network (or push a new .msi file via Group Policy, or run the update in a login script). Make sure you upgrade your servers before doing the clients, Symantec (or at least the rep I talked to) suggests completely removing the server (via add/remove programs) and installing the new version, not merely doing an upate.

Re:Corporate Edition

[Anonymous Coward]

The support engineer that I spoke with today stated that even though we have gold support you don't get notified for anything except "major . releases".

I had been complaining that I've been trying to get 9.0.3 for a couple of days now and customer support was a runaround and why can't I get updates like I should be.

He then told me that the MR packs are "not available unless you call tech support".

I then spent 15 minutes on the phone to customer service without speaking to anyone and hanging up.

He at least sent me a link to download the latest releases.

Thanks Symantec. I had to pull at your teeth to get you to talk, and only then you just spoke the least necessary. Great service.....:)

More details here...

[Otto]

http://www.symantec.com/avcenter/security/Content/ 2005.02.08.html

The gist of it is that there is a heap overflow in a part of the Symantec antivirus engine that they call DEC2EXE. This is a decoder for compressed executable files. The idea is that you have to decompress it to scan the thing, this module does the decompression.

So a carefully crafted EXE file could overflow part of this code and cause arbitrary code execution.

This module isn't just in Norton Antivirus, BTW, it's in a heck of a lot of Symantec Antivirus products. So if you're running any Symantec anti-virus product, not just the home consumer stuff, you might want to head over there and get a patch.

Re:a minor flaw in his logic

[Anonymous Coward]

Reports that say that something hasn't happened are always interesting to me, because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns -- the ones we don't know we don't know.

LiveUpdate will handle patch

[SoumyaRay]

The linked article states that:
Symantec is distributing patches to its customers through its LiveUpdate automatic update service and other mechanisms. It warned companies that do not use those services to download the patches from its Web site and apply them as soon as possible.

So users with LiveUpdate should use tool to handle updates. BTW, my LiveUpdate didn't install any client patch. yet.

Re:Immediate patch...

[Dav3K]

Given the current business risk of operating on a virus-encumbered operating system like windows, it surprises me that a plan to transition employees has not already been started. Unless of course, the occasional couple of days of downtime is an acceptable business cost. Really, if you factor in the additional costs of running windows over running JUST ABOUT ANY OTHER OS, you could easily make a solid business case to at least INVESTIGATE the possibility of running on a more secure OS. I am sure you will find equivalent applications to replace most of your internal windows-based programs, and for the ones you cannot, there is the possibility of running them under WINE. It also would not be difficult to come up with a plan to transition your thousands of employees - and executives WILL listen if it means you could save them time and frustration. Yes, it demands work up front - but that's easier to schedule than unexpected downtime from the latest wave of viruses.

Deja vu...

[Spy der Mann]

Around 1994, the NATAS virus stormed computers all around the world. It was the first polymorphic virus. And it was undetectable with traditional means (didn't alter the exes' CRC).

McAffee released a new (experimental?) version of their antivirus, so that it would clean NATAS. Unfortunately, sometimes if you pressed CTRL-C, part of your programs' code would execute randomly (later, they released a completely different version, which effectively cleaned NATAS and similar viruses, without having such nasty bugs).

Frankly, this execute-to-test-for-viruses was always a bad idea. I don't know why Symantec fell into that. Unless of course, it's more like a buffer overflow, which is understandable.

Re:And Now... The Link to Symantec's response

[JSmooth]

Sorry... http://www.symantec.com/avcenter/security/Content/ 2005.02.08.html

Linux Is Vulnerable

[rsmith-mac]

I know the OP was just trying to be funny, but seriously, from TFA:

Computers are at risk if they run an unpatched version of a Symantec product that scans files to detect malicious code and if they use the Microsoft Windows, Mac OS X, Linux, Solaris and AIX operating systems, Symantec said.

So as unlikely as it is that many Linux users are using a Symantec product, or that someone will target a Linux box, anything that is running a scanner(such as an email server) is vulnerable. Everyone needs to patch on this, not just the Windows guys.

Re:Better than just free

[freshman_a]

As long as it's not company policy ie. each employee that uses it is installing it for personal use, it's free.

Sorry, I have to disagree seeing as how Grisoft explicitly state on their website "for private, non-commercial, single home computer use only."

Re:Immediately patch? Really?

[davez0r]

here is the list

http://www.sarc.com/avcenter/security/Content/2005 .02.08.html [sarc.com]

Or...

[The Spoonman]

Symantec recommends you immediately patch your software

Or, you can fire your mail admin for allowing executable files to even get to the point where they need to be scanned and get one that knows what they're doing. Your incoming SMTP should be rejecting any e-mail that has one, why bother scanning it? There are ways that were designed for transporting these things, e-mail was not it!

And, remember: when bitching about this, make absolutely sure you're loudly and clearly proclaiming this to be the fault of MS or Symantec. Otherwise, you run the risk of someone actually placing the blame where it really belongs: with the administrator who shouldn't have been affected by this in any way.

Re:Immediately patch? Really?

[Sethb]

It's more than a patch you download, it's an entire new CD, it was 218MB for me.

You don't have to do it "manually" unless your network is completely unmanaged, if you can't run login scripts, or push via Active Directory, or use the client install utility with Administrative username and password, what were you networking these computers for exactly? :)

According to the advisory [sarc.com] 9.0.2.1000 is safe from this so you don't have to upgrade ASAP.

Re:Immediately patch? Really?

[stanleypane]

Your fine, check this link out:

http://securityresponse.symantec.com/avcenter/secu rity/Content/2005.02.08.html

9.0.2.1000 = MR2

Excerpt:
Maintenance Release 1(MR1) (not available in all regions) or Maintenance Release 2 (MR2) disables the installed DEC2EXE engine and is NOT vulnerable to this exploit since the DEC2EXE engine is not called to parse UPX files. The latest Maintenance Release (MR3) removes the DEC2EXE engine, which Symantec strongly recommends. However, some customers may not be able to install the latest MR3 immediately.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Helpful Articles On Virus Scanner Selection

[jmole]

Here are some helpful resources on Virus Scanner tests if you can't decide which one to use:

http://www.virusbtn.com/vb100/archives/products.xm l? [virusbtn.com]
http://www.pcworld.com/reviews/article/0,aid,11593 9,pg,5,00.asp [pcworld.com]

SAV CE

[bsd4me]

Syamantec pretty much assume that if you are running SAV CE, than you use login scripts to push patches to machines. There is a section in the docs on the various flags to give the MSI for automated mode (eg, how to specify the group server).

Re:Immediately patch? Really?

[andynms]

For reference, the download site for corporate users is https://fileconnect.symantec.com/licenselogin.jsp [symantec.com]. You need to log in with your corporate serial number.

Re:Immediately patch? Really?

[drinkypoo]

You are WRONG sir. I read their advisory and the version of SAV I have on my system here is vulnerable, but there are no patches for it in LiveUpdate. I do know LU is working, because it did install some new virus defs, but it did not update the SAV version.

Glad I don't use Symantec....

[imemyself]

I'm glad I switched from Symantec Corp to McAfee Enterprise a few months ago. While I'm not terribly happy with McAfee(uses lots of CPU when browsing directories with many gigs of files), Symantec really pissed me of when I removed it. I had to spend about an hour removing reg. keys that their uninstaller was too lazy to remove. It couldn't have been that difficult for them to have the installre remove them, but instead they give you a three pages of crap that you must remove from various locations in the registry. That has totally made me rethink using Symantec stuff again.

Re:Affected corporate edition versions

[Anonymous Coward]

Your 9.0.1.1000 indicates that FIX #1 was *already applied*.

I just got the *OPPOSITE* information from technical support. They told me that I *HAD* to contact them in order to download it.

I'm a gold support user and I was *NEVER* notified that the fixes (1, 2 or 3 for Corporate Edition) were even available. The answer I got was that your only notified about major releases (8.0, 9.0, 10.0).

I'm hope that your ok. Me, I'm downloading patches....

Norton = piece of $hit

[Jesus IS the Devil]

Norton Antivirus has been the biggest pile of $hit AV I've ever used. It routinely misses well-known trojans/viruses. I've gotten my system infected twice in the past by simply visiting a page in IE. Norton just shut down and my system got infected. Doing a free scan at housecall.trendmicro.com, Trendmicro was able to detec the virus easily. Norton just kept telling me no virus was found.

Stay far away from Norton. It's worthless.

Re:patch available

[Anonymous Coward]

After a 30-minute call with Symantec (most of which was being on hold), I found out this information:

Go to http://licensing.symantec.com/. From there, you can select the Product Media link on the bottom of the page and Click to Download. Select your language, and then on the next page, enter your product's serial number. The serial number will probably be either on your product media or on your support certificate. This will take you to a link where you can download the entire product media for Symantec AntiVirus Corporate Edition v9.0.2.1000. Note that this is a 218MB download, so it may take a while, though I'm currently getting about 275KB/sec. I hope this helps everyone out!

Re:Immediately patch? Really?

[Anonymous Coward]

If you're running in a corporate environment, LU will only pull defs but not patches (generally, depending of course on how it's configured). Most companies want to keep pretty tight control of which builds of which software are running on their boxen, so LU only pushes virus defs. If you are running on such a network, I imagine your IT staff is in the process of figuring out how to get everybody on a non-vulnerable build.