Symantec Antivirus May Execute Virus Code 388
An anonymous reader writes "Symantec has admitted that a serious vulnerability exists in the way its scanning engine handles Ultimate Packer for Executables. According to a ZDNet article, this means the scanner would execute the malicious program instead of catching it. Tim Hartman, senior technical director for Symantec Asia Pacific, said: "A vulnerability is not a vulnerability till somebody discovers it but because this is now known, somebody could craft an e-mail, mass mailer or a virus that takes advantage of it. It affects our firewalls, antispam, all the retail products and the enterprise products as well"" Symantec recommends you immediately patch your software.
Immediately patch? Really? (Score:5, Informative)
I've checked several versions, starting with the corporate edition which we use.
Re:Immediately patch? Really? (Score:5, Funny)
Re:Immediately patch? Really? (Score:3, Insightful)
Right? No sane person in his or her right mind would recommend McAfee in any way shape or form, would they?
Re:Immediately patch? Really? (Score:3, Funny)
I thought this was funny
Re:Immediately patch? Really? (Score:2)
Re:Immediately patch? Really? (Score:3, Informative)
Re:Immediately patch? Really? (Score:5, Informative)
Re:Immediately patch? Really? (Score:3, Informative)
http://www.sarc.com/avcenter/security/Content/200
Re:Immediately patch? Really? (Score:3, Informative)
Re:Immediately patch? Really? (Score:5, Informative)
Some of the earlier Maintenance Releases aren't vulnerable either, but MR3 is the newest. If you're still on vanilla 9.0.0.338, you need to update ASAP, the same applies if you're on the update revision that made SAV CE work with the Windows SP2 Security Control Panel, version 9.0.0.1400.
Since it's "Corporate Edition", Symantec assumes that you're managing these desktops and wants to control when you push patches to them, so now you get to do just that.
Re:Immediately patch? Really? (Score:3, Informative)
You don't have to do it "manually" unless your network is completely unmanaged, if you can't run login scripts, or push via Active Directory, or use the client install utility with Administrative username and password, what were you networking these computers for exactly?
According to the advisory [sarc.com] 9.0.2.1000 is safe from this so you don't have to upgrade ASAP.
Re:Immediately patch? Really? (Score:4, Informative)
SAV CE (Score:3, Informative)
Syamantec pretty much assume that if you are running SAV CE, than you use login scripts to push patches to machines. There is a section in the docs on the various flags to give the MSI for automated mode (eg, how to specify the group server).
Re:Corporate Edition (Score:2, Informative)
I had been complaining that I've been trying to get 9.0.3 for a couple of days now and customer support was a runaround and why can't I get updates like I should be.
He then told me that the MR packs are "not available unless you call tech support".
I then spent 15 minutes on the phone to customer service without speaking to anyone and hanging up.
He at lea
LiveUpdate will handle patch (Score:2, Informative)
Symantec is distributing patches to its customers through its LiveUpdate automatic update service and other mechanisms. It warned companies that do not use those services to download the patches from its Web site and apply them as soon as possible.
So users with LiveUpdate should use tool to handle updates. BTW, my LiveUpdate didn't install any client patch. yet.
Re:Immediately patch? Really? (Score:5, Interesting)
I sit down in front of the computer, and I can see it's infected with something. The signs are the, writing is on the wall. But norton/symantec enterprise, updated and all, is telling me it's clean. So I download McCaffee Stinger or BitDefender's free scanner, clean the Machine out, and sell something better to them.
Case in point. I have a client who's ISP is running Symantec antivirus gateway on the ISP side. Behind that gateway, I've got a postfix box with amavis-new and clam, h+bedv and bitdefender scanners. You won't believe the amount of virusses I still catch, stuff that make it through symantec's waste_of_cpu_cycles_software.
Symantec was the good stuff back in the good old DOS days. Now they're baking in their former glory, but they're loosing business and I'm happy so see them burn if they don't get off their butts and start improving their software.
Re:Immediately patch? Really? (Score:3, Insightful)
Luckily my product here at work does not require the update. I will however have my qmail/ClamAV mail router filter out UPX files as a precaution.
Better than just free (Score:5, Informative)
AVG, free and worry free. (This was not a paid endorsement)
Re:Better than just free (Score:5, Informative)
On http://free.grisoft.com/freeweb.php/doc/2/ [grisoft.com]
"Use of AVG Free Edition within any organization or for commercial purposes is strictly prohibited."
Re:Better than just free (Score:5, Funny)
I guess Santa isn't Dancing anymore.
Re:Better than just free (Score:2, Informative)
What company do you work for again?
Re:Better than just free (Score:2, Interesting)
Not that one is better than the other, but I use Avast [avast.com] which is also free and has worked well for me on both Windows and Linux.
Re:Better than just free (Score:2)
Re: (Score:2)
Re:Better than just free (Score:5, Informative)
Re:Better than just free (Score:2)
I worked for a company that refused to pay for AV, and we all had it on our desktops, except the managers.
Re:Better than just free (Score:5, Funny)
I worked for a company that refused to pay for AV, and we all had it on our desktops, except the managers.
So what part of "home" did you all deliberately misunderstand?
Re:Better than just free - I agree! (Score:2, Interesting)
Re:Better than just free (Score:2)
Re:Better than just free (Score:2, Redundant)
I do have the personal free edition for my home laptop, and it is a great program (although it had some issues with SP2 and some Nero drivers).
What about ClamWin? (Score:2)
The free version is not licensed for company use (Score:2)
I use AVG on all my company systems and can say that in addition to being free...
Wow - good job. I would like to direct you to this paragraph on Grisoft's site [grisoft.com]:
AVG Free Edition is for private, non-commercial, single home computer use only. Use of AVG Free Edition within any organization or for commercial purposes is strictly prohibited. Your use of AVG Free Edition shall be in accordance with and is subject to the terms and conditions set forth in the AVG Free Edition License Agreement which accom
huh? (Score:5, Insightful)
Huh? So if someone inadvertently takes advantage of a vulnerability, it's not really a vulnerability because they didn't explicitly know they were taking advantage of it?
Re:huh? (Score:5, Funny)
Re:huh? (Score:5, Funny)
Re:huh? (Score:3, Funny)
Re:huh? (Score:4, Insightful)
Re:huh? (Score:3, Interesting)
I mean, why do viruses exist in the first place? Is it because they exploit open, known vulnerabilities? Or is it because crackers *find* vulnerabilites to exploit?
Talk about stupid.
Yeah, right. (Score:2, Funny)
> > "A vulnerability is not a vulnerability till somebody discovers it..."
> Huh?
Sir Lancelot: "I hate to go into battle with this big f*ing hole in my chainmail, but fortunately my tabard will hide it."
Re:huh? (Score:2, Insightful)
Re:huh? (Score:2)
Prove me wrong.
Re:huh? (Score:3, Insightful)
The User of Our Software May Feel Secure, because:
(1) Any bugs which may or may not hypothetically exist in our software do not *actually* exist until someone publicly blows the whistle (refer to the cat in the box)
(2) The whistleblower is actually the one to blame for the insecurity existing, not our poor coding and software testing standards.
(3) Ignore the [H,Cr]acker Behind the Curtain who may or may not have discovered the hyp
Obligatory... (Score:2, Funny)
Re:Obligatory... (Score:2, Funny)
Immediate patch... (Score:2, Funny)
Re:Immediate patch... (Score:3, Funny)
Thanks. Now, can you explain how my company is to quikly move all of thousands of employees and all of our internal Windows-based applications to redhat in the next 24 hours?
Re:Immediate patch... (Score:3, Funny)
Amphetamine.
Re:Immediate patch... (Score:2)
Re:Immediate patch... (Score:2, Insightful)
ask this guy http://interviews.slashdot.org/article.pl?sid=05/
Re:Immediate patch... (Score:2)
Re:Immediate patch... (Score:3, Informative)
Re:Immediate patch... (Score:3, Insightful)
My company already has a plan and fully intends to move to Linux. Unfortunately, as my post indicates, moving all of our employees and all of our applications will take a long time. As of June, 2004, we were shooting for 18 months. At this point, I think we will miss that deadline.
In short, the reality of this migration is smacking us right in the face.
Re:Immediate patch... (Score:3, Insightful)
Good grief.
Re:Immediate patch... (Score:5, Insightful)
The ones who "can barely use windows" will complain that the start menu is in a different place and their screensaver won't work, otherwise they won't notice what they're using to type their memos, add up their expenses, or surf their porn. It's the "power users" who've wriiten macros and such who are the difficult ones. Budget for buying Crossover for them while you gradually wean them off.
I worked in an office that due to absorbing other small companies, had CP/M, DOS, Win 3, Win 98, MacOS 7, MacOS 8, all in use, and the staff were mostly clueless; but instead of throwing a fit were mostly willing to spend the few minutes needed to locate the icons to open a word processor. print, email... and that covers 95% of what they needed. It's strange to me that it's assumed that office workers are complete sheep who will be thrown into a panic by the slightest change in their desktop; forgetting that anyone who's worked for 15 years has probably gone through DOS, Win 3/95/98/2K/XP, not to mention Wordstar/WordPerfect/Word5/6/WinWord; Lotus 123/Excel, etc, etc.
Why should one more round of change be so hard, especially with most of the change actually being behind the scenes rather than in the interface -- "open file", "select (with mouse)" "change font", "print" are all the same except for minor cosmetic differences as far as the user is concerned, whatever platform and suite you're using.
Re:Immediate patch... (Score:4, Interesting)
If you would RTFA:
Computers are at risk if they run an unpatched version of a Symantec product that scans files to detect malicious code and if they use the Microsoft Windows, Mac OS X, Linux, Solaris and AIX operating systems, Symantec said.
This isn't an OS problem, this is an application problem.
Of course hackers are less likely to write something that runs on a non-Windows OS, but the flaw isn't fixed by moving from Windows.
Damn! (Score:3, Funny)
Wonder what's on TV tonight?
Re:Damn! (Score:2, Funny)
Re:Damn! (Score:2)
Re: Damn! (Score:3, Funny)
> no, wait, I run linux. Wonder what's on TV tonight?
Switch to Gentoo and you'll have something to do tonight.
Re: Damn! (Score:3, Funny)
And tomorrow night, and the night after that...
Linux Is Vulnerable (Score:3, Informative)
So as unlikely as it is that many Linux users are using a Symantec product, or that someone will target a Linux box, anything that is running a scanner(such as an email server) is vulnerable. Everyone needs to patch on
Imagine how pissed you would be (Score:2, Funny)
No worry (Score:2)
I'm happy abou this - closed source headache (Score:2, Insightful)
They have their hand out day after day for maintenance and updates and yet never REALLY bother to check if their own crap is working correctly.
Yet another reason (Score:2, Interesting)
I just wish big corporations would realize that by using Norton/Symantec, that they are using the most targeted [by antivirus-disabling viruses] antivirus software out today.
Re:Yet another reason (Score:5, Interesting)
Well, because AVG and Avast are free, they're less vulnerable, right?
Bullshit.
I like the hypocrisy of people criticizing Symantec's guy for touting security through obscurity, then turning around and preaching it themselves.
And I'd like to see how these things work in a corporate environment. Oh, wait. They don't.
Symantec has excellent corporate support and management features.
Re:Yet another reason (Score:2)
I've lost count of the number of viruses that have been caught by AVG and missed by Norton... they only seem to push updates every few days which leave a huge propogation time for the viruses.
Just this week I had an instance of Norton physically corrupting a file.. Sometimes I wonder if they test their software at all.
Re:Yet another reason (Score:2)
Re:Yet another reason (Score:3, Funny)
True.
If only it had excellent anti-virus features to go with them.
A vulnerability is not a vulnerability until? (Score:3, Insightful)
a minor flaw in his logic (Score:3, Insightful)
Sheer brilliance (Score:5, Insightful)
A vulnerability is not a vulnerability till somebody discovers it
So that's how security works! Supress knowledge of the problem!
It's nice to see that Symantec's corporate culture hasn't changed very much since the days when Peter Norton thought computer viruses were an urban legend.
Okay, Farkers... (Score:5, Funny)
Once and for all - THIS is irony. You can shut up now.
Yeah, but... (Score:2)
I submitted this yesterday with a more Insightful^W Interesting^W Funny headline.
Worlds... colliding... *yeeaarrgh*
Re:Okay, Farkers... (Score:3, Funny)
Yes. This is irony.
If I'm the CEO, this guy gets fired now. (Score:2)
Or did Symantec know, and just not mention it to their customers (so it wasn't "known") ?
A vulnerability is always a vulnerability. (Score:5, Insightful)
It's rather like saying "A law of Physics isn't a law of Physics until somebody discovers it."
A vulnerability is a vulnerability, period... meaning that something is vulnerable. Whether or not anyone's yet realized it's vulnerable is another story.
If you didn't put a lock on your door, would it "not be unlocked" until someone came by and realized that the door lacked a lock?
Re:A vulnerability is always a vulnerability. (Score:2)
Surprisingly honest (Score:5, Interesting)
br Definately a bad vulnerability, but kudos for being honest about it. I wonder though how liable they are to damages... not good when antivirus software actually ends up trigging the infection.
AVG and Anti-Vir (Score:2, Interesting)
This doesn't surprise me
In my experience.... (Score:3, Insightful)
Now they're getting into spyware/adware removal, and Norton will always find stuff, but when trying to deal with it it just gives a 'delete failed' message and that's it. And it will continue to nag you about things it finds.
People who don't know anybetter see these displays in best buy, and believe the hype and go home and install this paranoiaware. If it is NIS it promptly breaks their internet connection and screws up their email client. If they call symantec for help in configuring, symantec will refer them to their ISP.
What a bunch of fucks. Color me mofo, but i'm telling people to uninstall NIS these days (and the funny thing is that complete removal often requires registry hacking). It's more trouble than it is worth. Tech support is bad enough without this crap.
Re:In my experience.... (Score:2, Interesting)
I paid for NAV2004 (or whatever) and registered/activated it and it promptly broke, I uninstalled it and guess what? I had to reactivate it and call them on the phone! After not being able to do this bc it was a weekend, I waited on hold for an hour on Monday and promptly gave up in disgust. So I let my pay-version of NAV go unused and instead use Avast now.
Here's the scanner source code: (Score:2, Funny)
echo Scanning...
for file in `find
do
sudo $file
if system_still_running
then
echo File $f OK
fi
done
Actual Vulnerability Link (Score:4, Informative)
It provides a bit more information on the specific builds that are a problem. Affects a great deal of their software.
keep it simple (Score:2, Interesting)
If you want to have a secure system you have to use less software, not more. Virus scanner et al are part of the problem, not part of the solution.
"A designer knows he has achieved perfection not when there is nothing left to add, but when there is nothing left to take away." -- Antoine de Saint-ExuperyMore details here... (Score:5, Informative)
The gist of it is that there is a heap overflow in a part of the Symantec antivirus engine that they call DEC2EXE. This is a decoder for compressed executable files. The idea is that you have to decompress it to scan the thing, this module does the decompression.
So a carefully crafted EXE file could overflow part of this code and cause arbitrary code execution.
This module isn't just in Norton Antivirus, BTW, it's in a heck of a lot of Symantec Antivirus products. So if you're running any Symantec anti-virus product, not just the home consumer stuff, you might want to head over there and get a patch.
To People Bashing Symantec (Score:3)
I'm suspicious of Symantec anyways (Score:2)
Call conspiracy theory if you want, but it seems that with a lot of the "good" worms, Symantec is the first to announce it, and they've got a full analysis of what it does, how it works, what it's written in, etc, even if they claim the worm has only been "out" or "released" for 12-24 hours. This includes details that might be hundreds
A vulnerability is not a vulnerability... (Score:2)
Not a good way to think. That's like saying Iran having nukes isn't a concern becuase we haven't uncovered any direct evidence. The idea is to expose the vulnerability so you can do something about it.
Did I miss something? (Score:2, Funny)
Insecurity Thru Obscurantism (Score:2)
Hartman is saying a tree falling in a forest with no one to hear doesn't make a sound (actually, it makes the sound of one hand clapping). The severe problem with his philosophy as security corporation policy is that they don't know when it's discovered by someone. Saying it's only been discovered now that it's been published is a total misstatement of actual security: you have to assume that any hole is vulnerable
Download mirrors... (Score:2)
Symantec? That was yesterday... (Score:2)
Deja vu... (Score:4, Informative)
McAffee released a new (experimental?) version of their antivirus, so that it would clean NATAS. Unfortunately, sometimes if you pressed CTRL-C, part of your programs' code would execute randomly (later, they released a completely different version, which effectively cleaned NATAS and similar viruses, without having such nasty bugs).
Frankly, this execute-to-test-for-viruses was always a bad idea. I don't know why Symantec fell into that. Unless of course, it's more like a buffer overflow, which is understandable.
Or... (Score:4, Informative)
Or, you can fire your mail admin for allowing executable files to even get to the point where they need to be scanned and get one that knows what they're doing. Your incoming SMTP should be rejecting any e-mail that has one, why bother scanning it? There are ways that were designed for transporting these things, e-mail was not it!
And, remember: when bitching about this, make absolutely sure you're loudly and clearly proclaiming this to be the fault of MS or Symantec. Otherwise, you run the risk of someone actually placing the blame where it really belongs: with the administrator who shouldn't have been affected by this in any way.
Comment removed (Score:5, Informative)
Helpful Articles On Virus Scanner Selection (Score:3, Informative)
http://www.virusbtn.com/vb100/archives/products.x
http://www.pcworld.com/reviews/article/0,aid,1159
Norton = piece of $hit (Score:3, Informative)
Stay far away from Norton. It's worthless.
What does Symantec rate the severity of this as? (Score:3, Interesting)
Now we discover (really not surprisingly) that they themselves are a vector.
Re:And Now... The Link to Symantec's response (Score:3, Informative)