Symantec Antivirus May Execute Virus Code

An anonymous reader writes "Symantec has admitted that a serious vulnerability exists in the way its scanning engine handles Ultimate Packer for Executables. According to a ZDNet article, this means the scanner would execute the malicious program instead of catching it. Tim Hartman, senior technical director for Symantec Asia Pacific, said: "A vulnerability is not a vulnerability till somebody discovers it but because this is now known, somebody could craft an e-mail, mass mailer or a virus that takes advantage of it. It affects our firewalls, antispam, all the retail products and the enterprise products as well"" Symantec recommends you immediately patch your software.

huh?

[justforaday]

"A vulnerability is not a vulnerability till somebody discovers it..."

Huh? So if someone inadvertently takes advantage of a vulnerability, it's not really a vulnerability because they didn't explicitly know they were taking advantage of it?

I'm happy abou this - closed source headache

[gelfling]

Because it proves that tool vendors are really some of our worst enemies and closed source tool vendors are the worst of all.

They have their hand out day after day for maintenance and updates and yet never REALLY bother to check if their own crap is working correctly.

A vulnerability is not a vulnerability until?

[Jeff DeMaagd]

Come on! A cardboard door is not a vulnerability until someone figures out how to get it wet?!

a minor flaw in his logic

[Anonymous Coward]

Like all talking heads the guy didn't think before opening the mouth. The problem is this : you don't know if anyone had previously found this vulnerability. So you can't say it wasn't a vulnerability before *you* found it or before it was reported to *you*. The are unknowable numbers of unknown vulnerabilities and known numbers known vulnerabilities. You cannot know the size of the unknown set -- even if it is in reality the empty set.

Sheer brilliance

[stinky wizzleteats]

From TFA:

A vulnerability is not a vulnerability till somebody discovers it

So that's how security works! Supress knowledge of the problem!

It's nice to see that Symantec's corporate culture hasn't changed very much since the days when Peter Norton thought computer viruses were an urban legend.

A vulnerability is always a vulnerability.

[JessLeah]

"A vulnerability is not a vulnerability till somebody discovers it." This sort of rubbish is a rather amusing reflection of corpthink.

It's rather like saying "A law of Physics isn't a law of Physics until somebody discovers it."

A vulnerability is a vulnerability, period... meaning that something is vulnerable. Whether or not anyone's yet realized it's vulnerable is another story.

If you didn't put a lock on your door, would it "not be unlocked" until someone came by and realized that the door lacked a lock?

Re:huh?

[drinkypoo]

Yeah, I don't even have to RTFA to know that this guy is a complete idiot. Anyone who is willing to say that has his head so far up his ass that he can look out of his own nostrils. If there's a weakness in, say, the breastplate of a suit of armor, it's a vulnerability. If you get hit there, you are more likely to die. It doesn't matter if someone knows about it or not. Granted there is a serious problem with that metaphor in that you typically don't exploit problems by accident, but it seems highly likely to me that someone actually IS exploiting it out there, and that's why they discovered the hole in the first place. Symantec is not exactly known for having the highest-quality virus scan tool out there, although I do like their corporate version. Still, their software is full of bugs and inconsistencies (some places ^A works, some places it doesn't, for example) and it has been always thus.

In my experience....

[devphaeton]

....Norton Antivirus/Internet Security is the biggest piece of shit excuse for security software EVAR. It is poorly designed, poorly implemented, always breaks, and the only fix is "please reinstall NIS".

Now they're getting into spyware/adware removal, and Norton will always find stuff, but when trying to deal with it it just gives a 'delete failed' message and that's it. And it will continue to nag you about things it finds.

People who don't know anybetter see these displays in best buy, and believe the hype and go home and install this paranoiaware. If it is NIS it promptly breaks their internet connection and screws up their email client. If they call symantec for help in configuring, symantec will refer them to their ISP.

What a bunch of fucks. Color me mofo, but i'm telling people to uninstall NIS these days (and the funny thing is that complete removal often requires registry hacking). It's more trouble than it is worth. Tech support is bad enough without this crap.

Re:Immediate patch...

[same_old_story]

quick! (they are still accepting questions)

ask this guy http://interviews.slashdot.org/article.pl?sid=05/0 2/09/1226200&tid=201&tid=11&tid=106 [slashdot.org]

Re:huh?

[Broiler]

If a tree falls in the woods and no one is there to hear it, does it make a sound?

Re:Immediate patch...

[lucabrasi999]

My company already has a plan and fully intends to move to Linux. Unfortunately, as my post indicates, moving all of our employees and all of our applications will take a long time. As of June, 2004, we were shooting for 18 months. At this point, I think we will miss that deadline.

In short, the reality of this migration is smacking us right in the face.

Re:Immediately patch? Really?

[BoltInMyEar]

I'm on hold with them now, waiting to get the download info. The lady I spoke with said I'd likely be waiting about 45 minutes. Huzzah.

What's the point of doing it this way? Just post the damned patch to the downloads section of the web site, already.

Re:Immediately patch? Really?

[fubar1971]

You are correct. The article is misleading. Not all symantec products are vulnerable. Go here [symantec.com] to see if your product requires the update.

Luckily my product here at work does not require the update. I will however have my qmail/ClamAV mail router filter out UPX files as a precaution.

Re:A vulnerability is always a vulnerability.

[naer_dinsul]

If you didn't put a lock on your door, would it "not be unlocked" until someone came by and realized that the door lacked a lock?

Uhm... Yeah. That pretty much covers it.

Sincerely,
Erwin Schrödinger

Re:huh?

[gryfen]

Of course! It's the standard corporate PR stance regarding vulnerabilities:
The User of Our Software May Feel Secure, because:
(1) Any bugs which may or may not hypothetically exist in our software do not *actually* exist until someone publicly blows the whistle (refer to the cat in the box)
(2) The whistleblower is actually the one to blame for the insecurity existing, not our poor coding and software testing standards.
(3) Ignore the [H,Cr]acker Behind the Curtain who may or may not have discovered the hypothetical security hole in our software and decided to keep the info to his/her self. Their existence, real or not, does not actually threaten your security while using our software.

Re:Immediate patch...

[dsci]

Sorry to state the obvious, but if you have users that can barely use Windows, they won't know the difference if you switch OS's.

Good grief.

Re:Immediate patch...

[1u3hr]

but there are people at my company who can barely use windows and you want a company to switch to a much less user friendly environment? The time to retrain people would be horrendous and not to mention training them on completely new software. Changing OS for individuals is not viable for most companies. PERIOD

The ones who "can barely use windows" will complain that the start menu is in a different place and their screensaver won't work, otherwise they won't notice what they're using to type their memos, add up their expenses, or surf their porn. It's the "power users" who've wriiten macros and such who are the difficult ones. Budget for buying Crossover for them while you gradually wean them off.

I worked in an office that due to absorbing other small companies, had CP/M, DOS, Win 3, Win 98, MacOS 7, MacOS 8, all in use, and the staff were mostly clueless; but instead of throwing a fit were mostly willing to spend the few minutes needed to locate the icons to open a word processor. print, email... and that covers 95% of what they needed. It's strange to me that it's assumed that office workers are complete sheep who will be thrown into a panic by the slightest change in their desktop; forgetting that anyone who's worked for 15 years has probably gone through DOS, Win 3/95/98/2K/XP, not to mention Wordstar/WordPerfect/Word5/6/WinWord; Lotus 123/Excel, etc, etc.

Why should one more round of change be so hard, especially with most of the change actually being behind the scenes rather than in the interface -- "open file", "select (with mouse)" "change font", "print" are all the same except for minor cosmetic differences as far as the user is concerned, whatever platform and suite you're using.

Re:Or...

[Anonymous Coward]

Right. Because the only way this can possibly be exploited is by e-mailing someone a dodgy .exe?

For someone who appears to be involved in security, you have a very limited imagination. Not a useful trait.

Re:Immediately patch? Really?

[AlexMax2742]

You're kidding, right? What you really meant to say was that "Symantec recommends you immediately patch [grisoft.com] your software.".

Right? No sane person in his or her right mind would recommend McAfee in any way shape or form, would they?