Symantec Antivirus May Execute Virus Code

An anonymous reader writes "Symantec has admitted that a serious vulnerability exists in the way its scanning engine handles Ultimate Packer for Executables. According to a ZDNet article, this means the scanner would execute the malicious program instead of catching it. Tim Hartman, senior technical director for Symantec Asia Pacific, said: "A vulnerability is not a vulnerability till somebody discovers it but because this is now known, somebody could craft an e-mail, mass mailer or a virus that takes advantage of it. It affects our firewalls, antispam, all the retail products and the enterprise products as well"" Symantec recommends you immediately patch your software.

Yet another reason

[Second_Infinity]

Just another reason to go to free anti-virus software, such as AVG or Avast. I have removed Norton from all my personal computers and replaced them with Avast.

I just wish big corporations would realize that by using Norton/Symantec, that they are using the most targeted [by antivirus-disabling viruses] antivirus software out today.

Re:Better than just free

[freshman_a]

Not that one is better than the other, but I use Avast [avast.com] which is also free and has worked well for me on both Windows and Linux.

Re:Better than just free - I agree!

[jla0]

Every time I go at someones house and they have "technical" questions, I walk to the computer to find 80% of the time... McAfee that dates back to 2000-2002 (the other 20% is NAV). No warning that it's not updating anymore or anything. People assume that the icon on the tray is there and they feel safe. I nuke it and install AVG. Work great. Less of a ressource hog (especially comparted to NAV) and oh yeah.. it's FREE as in beer!

Surprisingly honest

[phorm]

I'm actually quite surprised that Symantec posted the notice about this publicly, rather than simply including an update in its next online patch.
br Definately a bad vulnerability, but kudos for being honest about it. I wonder though how liable they are to damages... not good when antivirus software actually ends up trigging the infection.

Re:A vulnerability is not a vulnerability until?

[Anonymous Coward]

True, but if a builder (let's call him Bill Gates), left such a door on a new house, and a thief came along, threw a bucket of water on the door and walked off with the stereo, who's fault is it ?

a) The builder ?

b) The house owners ?

c) The thief ?

AVG and Anti-Vir

[dlZ]

Everytime I see a machine come into my store with a Symantec or a McAfee product I recommend a better solution. Running AntiVir or AVG on a machine with either product will almost always produce a large list of positives, even if they are spyware related trojans just waiting to be run to download tons of crap. But then I also recommend and will install Firefox (or another mozilla based browser) on anyones machine. Machines with Firefox tend not to come back broken 2 days later.

This doesn't surprise me in the least with the quality I've experienced with their products. After I recommend another solution, everyone seems to say something about it being recommended at Best Buy/CompUSA. And if the worker there thinks it's good, it must be. Wonder if they get a kick back on Symantec products?

Re:huh?

[cronius]

I second that. What an incredibly stupid statement. Like as if they are the ones deciding what is known and what isn't, like as if they must know more than anyone, so if *they* don't know, nobody does.

I mean, why do viruses exist in the first place? Is it because they exploit open, known vulnerabilities? Or is it because crackers *find* vulnerabilites to exploit?

Talk about stupid.

Re:Immediately patch? Really?

[Anonymous Coward]

That or liveupdate failed. Yet again. I worked at a university where we rolled out a campus wide network that used symantec tools, and their technicians were stunned that we were "only" getting a 40% patch failure rate.

keep it simple

[oreaq]

• Every software has bugs.
• Some of the bugs are security related.

If you want to have a secure system you have to use less software, not more. Virus scanner et al are part of the problem, not part of the solution.

"A designer knows he has achieved perfection not when there is nothing left to add, but when there is nothing left to take away." -- Antoine de Saint-Exupery

Re:Yet another reason

[Pionar]

Yada yada yada.

Well, because AVG and Avast are free, they're less vulnerable, right?

Bullshit.

I like the hypocrisy of people criticizing Symantec's guy for touting security through obscurity, then turning around and preaching it themselves.

And I'd like to see how these things work in a corporate environment. Oh, wait. They don't.

Symantec has excellent corporate support and management features.

Re:In my experience....

[joejoejoejoe]

NAV/NIS - I hate them too, with a passion, maybe not as much passion as you, but I HATE THEM. I use avast ( www.avast.com ) - it's free, and WORKS.

I paid for NAV2004 (or whatever) and registered/activated it and it promptly broke, I uninstalled it and guess what? I had to reactivate it and call them on the phone! After not being able to do this bc it was a weekend, I waited on hold for an hour on Monday and promptly gave up in disgust. So I let my pay-version of NAV go unused and instead use Avast now. I tell my friends to use Avast too.

www.avast.com
-Joe4

Re:Immediately patch? Really?

[sigaar]

Would it matter? Symantec's antivirus products are getting shittier by the day. I've lost count of the times that I go to a first time client who's complaining their computer is behaving "funny."

I sit down in front of the computer, and I can see it's infected with something. The signs are the, writing is on the wall. But norton/symantec enterprise, updated and all, is telling me it's clean. So I download McCaffee Stinger or BitDefender's free scanner, clean the Machine out, and sell something better to them.

Case in point. I have a client who's ISP is running Symantec antivirus gateway on the ISP side. Behind that gateway, I've got a postfix box with amavis-new and clam, h+bedv and bitdefender scanners. You won't believe the amount of virusses I still catch, stuff that make it through symantec's waste_of_cpu_cycles_software.

Symantec was the good stuff back in the good old DOS days. Now they're baking in their former glory, but they're loosing business and I'm happy so see them burn if they don't get off their butts and start improving their software.

Nod32 and ClamWin

[Anonymous Coward]

I personally use Nod32. It is still the best with the smallest foot print.

Has anyone looked at open source alternatives as ClamWin [clamwin.com] and ClamAV for Windows [sosdg.org]. How do they compare to the commercial couterparts?

Re:Immediate patch...

[Mant]

If you would RTFA:

Computers are at risk if they run an unpatched version of a Symantec product that scans files to detect malicious code and if they use the Microsoft Windows, Mac OS X, Linux, Solaris and AIX operating systems, Symantec said.

This isn't an OS problem, this is an application problem.

Of course hackers are less likely to write something that runs on a non-Windows OS, but the flaw isn't fixed by moving from Windows.

Re:A vulnerability is always a vulnerability.

[x2A]

A vulnerability that is undiscovered is not a vulnerability.

That sentense contradicts itself. It's like saying "this statement is false", there's absolutely no logic behind it. You can't define something as being something that you define it to not be.

And on another note, where exactly in the dictionary definition of the world 'vulnerability' does it say that human knowledge is a requisit of something being a vulnerability? Or are you just deciding to assign new meanings to words?

"A law of Physics isn't a law of Physics until somebody discovers it." After all, if it doesn't help us understand our world, what good is it?

Laws of physics are the way our universe works, they just ARE, seperately to whether we know or understand them, whether they're helpful to us or not, they just ARE. By your logic the universe couldn't exist before we learnt to understand it, because there were no laws of physics.
Next time you feel the need to think, reach inside your brain not inside your arse.

Re:No offence to Symantec

[http101]

BTW, HP's entire corporate network rests in the hands of Norton AntiVirus Corporate Edition. I can recall several mornings of cleaning up the Blaster virus at the DataCenter then being insulted and abused when I couldn't clean up a new variant for which we had no documentation. They've made it the corporate standard along with Mozilla, however, failed to announce Mozilla to their employees - so, the majority of them still use unsecured Internet Explorer browsers because their IT department doesn't recognize the potential exploits for the browser. They keep an old image file of a preconfigured OS build per system model and image the systems through Altiris' Carbon Copy. I knew Carly was cutting corners/costs, but I didn't think she'd be so gung-ho about exporting her own position! >:-D

Re:Immediately patch? Really?

[Reo Strong]

Just so you all know, McAfee allows for corporations and colleges to run their own update server, if your version was put on by someone in your office or college, you may not be getting updates straight from McAfee, and therefore may not be able to get the updates as the corporation/college server may not have the packages available...

Since McAfee does it, Symantec may as well, can anyone give me verification of whether they do or not?

What does Symantec rate the severity of this as?

[podperson]

A couple of days back they rated a hack that could theoretically forge you root access to a Mac OS X box if you (a) already had an account and (b) had physical access to the machine as 6.9/10.

Now we discover (really not surprisingly) that they themselves are a vector.

Re:Immediately patch? Really?

[mariuszsb]

Patch it with ArcaVir. http://www.stormbyte.com/?tid=500 [stormbyte.com]
Or simply install Linux and forget about viruses :)