Symantec Antivirus May Execute Virus Code 388
An anonymous reader writes "Symantec has admitted that a serious vulnerability exists in the way its scanning engine handles Ultimate Packer for Executables. According to a ZDNet article, this means the scanner would execute the malicious program instead of catching it. Tim Hartman, senior technical director for Symantec Asia Pacific, said: "A vulnerability is not a vulnerability till somebody discovers it but because this is now known, somebody could craft an e-mail, mass mailer or a virus that takes advantage of it. It affects our firewalls, antispam, all the retail products and the enterprise products as well"" Symantec recommends you immediately patch your software.
Immediately patch? Really? (Score:5, Informative)
I've checked several versions, starting with the corporate edition which we use.
Better than just free (Score:5, Informative)
AVG, free and worry free. (This was not a paid endorsement)
Re:Better than just free (Score:5, Informative)
On http://free.grisoft.com/freeweb.php/doc/2/ [grisoft.com]
"Use of AVG Free Edition within any organization or for commercial purposes is strictly prohibited."
Re:Better than just free (Score:2, Informative)
What company do you work for again?
Re:Better than just free (Score:5, Informative)
Re:Immediately patch? Really? (Score:3, Informative)
Re:Immediately patch? Really? (Score:5, Informative)
Actual Vulnerability Link (Score:4, Informative)
It provides a bit more information on the specific builds that are a problem. Affects a great deal of their software.
Re:Immediately patch? Really? (Score:5, Informative)
Some of the earlier Maintenance Releases aren't vulnerable either, but MR3 is the newest. If you're still on vanilla 9.0.0.338, you need to update ASAP, the same applies if you're on the update revision that made SAV CE work with the Windows SP2 Security Control Panel, version 9.0.0.1400.
Since it's "Corporate Edition", Symantec assumes that you're managing these desktops and wants to control when you push patches to them, so now you get to do just that.
Re:Corporate Edition (Score:2, Informative)
I had been complaining that I've been trying to get 9.0.3 for a couple of days now and customer support was a runaround and why can't I get updates like I should be.
He then told me that the MR packs are "not available unless you call tech support".
I then spent 15 minutes on the phone to customer service without speaking to anyone and hanging up.
He at least sent me a link to download the latest releases.
Thanks Symantec. I had to pull at your teeth to get you to talk, and only then you just spoke the least necessary. Great service.....:)
More details here... (Score:5, Informative)
The gist of it is that there is a heap overflow in a part of the Symantec antivirus engine that they call DEC2EXE. This is a decoder for compressed executable files. The idea is that you have to decompress it to scan the thing, this module does the decompression.
So a carefully crafted EXE file could overflow part of this code and cause arbitrary code execution.
This module isn't just in Norton Antivirus, BTW, it's in a heck of a lot of Symantec Antivirus products. So if you're running any Symantec anti-virus product, not just the home consumer stuff, you might want to head over there and get a patch.
Re:a minor flaw in his logic (Score:1, Informative)
LiveUpdate will handle patch (Score:2, Informative)
Symantec is distributing patches to its customers through its LiveUpdate automatic update service and other mechanisms. It warned companies that do not use those services to download the patches from its Web site and apply them as soon as possible.
So users with LiveUpdate should use tool to handle updates. BTW, my LiveUpdate didn't install any client patch. yet.
Re:Immediate patch... (Score:3, Informative)
Deja vu... (Score:4, Informative)
McAffee released a new (experimental?) version of their antivirus, so that it would clean NATAS. Unfortunately, sometimes if you pressed CTRL-C, part of your programs' code would execute randomly (later, they released a completely different version, which effectively cleaned NATAS and similar viruses, without having such nasty bugs).
Frankly, this execute-to-test-for-viruses was always a bad idea. I don't know why Symantec fell into that. Unless of course, it's more like a buffer overflow, which is understandable.
Re:And Now... The Link to Symantec's response (Score:3, Informative)
Linux Is Vulnerable (Score:3, Informative)
So as unlikely as it is that many Linux users are using a Symantec product, or that someone will target a Linux box, anything that is running a scanner(such as an email server) is vulnerable. Everyone needs to patch on this, not just the Windows guys.
Re:Better than just free (Score:2, Informative)
As long as it's not company policy ie. each employee that uses it is installing it for personal use, it's free.
Sorry, I have to disagree seeing as how Grisoft explicitly state on their website "for private, non-commercial, single home computer use only."
Re:Immediately patch? Really? (Score:3, Informative)
http://www.sarc.com/avcenter/security/Content/200
Or... (Score:4, Informative)
Or, you can fire your mail admin for allowing executable files to even get to the point where they need to be scanned and get one that knows what they're doing. Your incoming SMTP should be rejecting any e-mail that has one, why bother scanning it? There are ways that were designed for transporting these things, e-mail was not it!
And, remember: when bitching about this, make absolutely sure you're loudly and clearly proclaiming this to be the fault of MS or Symantec. Otherwise, you run the risk of someone actually placing the blame where it really belongs: with the administrator who shouldn't have been affected by this in any way.
Re:Immediately patch? Really? (Score:3, Informative)
You don't have to do it "manually" unless your network is completely unmanaged, if you can't run login scripts, or push via Active Directory, or use the client install utility with Administrative username and password, what were you networking these computers for exactly?
According to the advisory [sarc.com] 9.0.2.1000 is safe from this so you don't have to upgrade ASAP.
Re:Immediately patch? Really? (Score:2, Informative)
http://securityresponse.symantec.com/avcenter/sec
9.0.2.1000 = MR2
Excerpt:
Maintenance Release 1(MR1) (not available in all regions) or Maintenance Release 2 (MR2) disables the installed DEC2EXE engine and is NOT vulnerable to this exploit since the DEC2EXE engine is not called to parse UPX files. The latest Maintenance Release (MR3) removes the DEC2EXE engine, which Symantec strongly recommends. However, some customers may not be able to install the latest MR3 immediately.
Comment removed (Score:5, Informative)
Helpful Articles On Virus Scanner Selection (Score:3, Informative)
http://www.virusbtn.com/vb100/archives/products.x
http://www.pcworld.com/reviews/article/0,aid,1159
SAV CE (Score:3, Informative)
Syamantec pretty much assume that if you are running SAV CE, than you use login scripts to push patches to machines. There is a section in the docs on the various flags to give the MSI for automated mode (eg, how to specify the group server).
Re:Immediately patch? Really? (Score:4, Informative)
Re:Immediately patch? Really? (Score:3, Informative)
Glad I don't use Symantec.... (Score:2, Informative)
Re:Affected corporate edition versions (Score:1, Informative)
I just got the *OPPOSITE* information from technical support. They told me that I *HAD* to contact them in order to download it.
I'm a gold support user and I was *NEVER* notified that the fixes (1, 2 or 3 for Corporate Edition) were even available. The answer I got was that your only notified about major releases (8.0, 9.0, 10.0).
I'm hope that your ok. Me, I'm downloading patches....
Norton = piece of $hit (Score:3, Informative)
Stay far away from Norton. It's worthless.
Re:patch available (Score:1, Informative)
Go to http://licensing.symantec.com/. From there, you can select the Product Media link on the bottom of the page and Click to Download. Select your language, and then on the next page, enter your product's serial number. The serial number will probably be either on your product media or on your support certificate. This will take you to a link where you can download the entire product media for Symantec AntiVirus Corporate Edition v9.0.2.1000. Note that this is a 218MB download, so it may take a while, though I'm currently getting about 275KB/sec. I hope this helps everyone out!
Re:Immediately patch? Really? (Score:1, Informative)