Symantec Antivirus Products Vulnerable To Horrid Overflow Bug (zdnet.com) 79
An anonymous reader writes: Tavis Ormandy of Google's Project Zero team has discovered a vulnerability in Symantec Antivirus Engine. The said engine is vulnerable to a buffer overflow when parsing malformed portable-executable (PE) header files, reports ZDNet. "Such malformed PE files can be received through incoming email, downloading of a document or application, or by visiting a malicious web site," Symantec said. "No user interaction is required to trigger the parsing of the malformed file." For Linux, OS X, and other Unix-like systems, the exploit results in a remote heap overflow as root in the Symantec or Norton process, Ormandy said in the Project Zero issue tracker. "On Windows, this results in kernel memory corruption, as the scan engine is loaded into the kernel (wtf!!!), making this a remote ring0 memory corruption vulnerability -- this is about as bad as it can possibly get," he said.The vulnerability, if exploited, results in kernel memory corruption without user action and instant blue-screening on Windows.
Re: (Score:2)
This. No one buys Symantec unless their company culture consumes enterprise marketing pieces like "Gartner MQs" to figure what to buy.
Re: (Score:2)
Re: Why does this matter? (Score:5, Funny)
Lots of organizations use Symantec. Some Slashdot readers actually have jobs at such organizations and would therefore find this information useful. You don't because you're in your mom's basement with your NetBSD computers.
Re: Why does this matter? (Score:1)
He's writing angry letters to the president in emacs under a single light bulb hanging from its own power wire.
Re: (Score:3)
Re: (Score:2)
Re: (Score:1)
We use Symantec Endpoint Protection. We tested over a dozen anti-virus systems, and it was the least worst. It's still pretty bad. I import and test .ova file (Open Virtualization Archive) imports several times a day. With Symantec enabled, it takes about four hours for a 2Gbyte compressed image. With it off, it usually takes less than ten minutes. Unfortunately my boss won't let me get rid of Windows since most of our customers use VirtualBox on Windows.
Re: (Score:2)
Re: (Score:2)
Actually, sadly, yes, organizations use this shit. I've seen a few Bring Your Own Device networks (such as college campuses) that force you to install whatever "security" bullshit they shove down your throat in order to be allowed to access their network. One such thing I came across was indeed Norton's shitware.
Re: (Score:2)
what happens when the mac or Linux box try to get on?
Re:Why does this matter? (Score:4, Informative)
SEP has RPM and DEB packages
Re: (Score:2)
does it push them at login? let you hit the repos to get the dependencies?
Re: (Score:2)
...and what would their response be if you showed them something like this on your Linux box?
salfter@files ~ $ sudo apt-get install symantec-shitware
-bash: apt-get: command not found
Do they tell you you're SOL?
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
People ticked off by McCrapfee
Re: (Score:1)
Does anyone still use Symantec? Yeah, I didn't think so. This matters to all of three neckbeards. I'll get modded down to -1 for asking this because Slashdot users can't handle the truth. All three of the neckbeards still using Symantec probably have mod points.
This troll is getting old fast. I'll get modded up to 420x10^69 for saying this because Slashdot users are unicorns who poop pepper jack burgers.
Because it runs on AIX and Solaris... (Score:2)
Yes, it is a waste of time, but McAfee and Symantec both have ICSA certified AV solutions which run on Linux, Solaris, HP-UX, and AIX. This is crucial in a lot of environments to make the legal eagles happy, and check that box off that "all computers run a certified AV solution", even if the machines are LPARs or LDOMs.
Sounds idiotic, but PCI-DSS and other specs can require this, even though the AV software, at best, will be deadweight.
Re: (Score:2)
You mean they require a specific set of certified attack vectors to be installed on every machine?
Re: (Score:2)
SEP is a cheap, easy, and staggeringly useful way of safely protecting something from unwanted eyes. It can run almost indefinitely on a torch (flashlight)/9 volt battery, and is able to do so because it utilizes a person's natural tendency to ignore things they don't easily accept, like, for example, aliens at a cricket match. Any object around which an S.E.P. is applied will cease to be noticed, because any problems one may have understanding it (and therefore accepting its existence) become Somebody Else
That's awesome (Score:1)
Irony Overflow Exception.at lines one to infinity.
A thing of beauty (Score:4, Interesting)
Tavis Ormandy is bad ass, and is really awesome at finding bugs. Whether it is Microsoft, Symantec, or anything else, he will find a bug if one is there.
This is a beautiful bug! Having the scan engine loaded into the kernel is sheer lunacy. Yet even more evidence on why AntiVirus is a useless and dangerous program to have running on your system.
Re:A thing of beauty (Score:5, Insightful)
Well, on one hand, it does make some sense. Windows still has the equivalent of a system call table, but it is hookable and the antivirus program will monitor who's hooking the system calls. In addition, it too will hook the system calls to be able to scan files the second they're downloaded as well as be able to block creation of processes using infected files, which helps block infection. It also means many user-space tricks are no longer valid (a user space scanner is vulnerable to malware that can hide itself inside the kernel).
So it does make some sense to have a part of your scanner inside the kernel itself.
Of course, the downside is your scanner is now the target of .attack because well, it's a nice juicy place to attack.
Re: (Score:2)
wasn't NT at one point a microkernel? Wouldn't at some point you be able to vector this into user space libraries?
The cure is worse that the disease on linux. (Score:1)
Re: The cure is worse that the disease on linux. (Score:1)
so what you're saying is... (Score:2)
Re: (Score:2)
Re: (Score:2)
Yes! (Score:5, Funny)
Points to Symantec for eating their own dog food, I guess.
Re: (Score:2)
When Ormandy attempted to inform Symantec of the vulnerability, the email he sent crashed Symantec's mail server.
Points to Symantec for eating their own dog food, I guess.
Maybe ... but points off for having the Dog Food manufactured in China.
I wonder how long it will take... (Score:5, Insightful)
This isn't "as bad as it gets" yet. However, "Kernel memory corruption leading to blue screens" is "random stuff got sprayed across the kernel memory". If you can do that, and if you can get a handle on what got sprayed where... then, you have a decent chance of being able to improve that to "Kernel memory corruption leading to remote code execution. In Ring 0."
And that's as bad as it gets.
Actually, there's a few levels left. (Score:1)
Find a similar bug in a SMM (ring -1) handler in your UEFI BIOS... or perhaps in the various subsystems both intel and amd keep on strewing over their offerings that include complete RTOSes running in ring -2 or -3, or in the LOM, maybe on a processor embedded in the southbridge, which might run diddled Chinese firmware complete with diddle-hider, or.... And yes, that southbridge thing sits on a management NIC and gets its input from there before the rest of the system even sees it, so any exploit more or l
Re: (Score:2)
You are kidding yourself. These two may look better at the moment, but they have the same problems. AV has become a massive security risk.
automated fix already out (Score:2)
Unless you don't update AV definitions, this is a nonissue. The AV definition files dated 5/16/16 rev24 included an updated av engine component that fixes this vulnerability. By the time I heard of this issue, our SEPM server had already downloaded the defs with fixed engine and 3/4 of our enterprise was already up to date.
Re: (Score:2)
I beg to disagree. This shows that the scanning engines are of low(est) quality and run in places they should not. While this particular bug is now fixed, the underlying problem is very much not so.
Re: (Score:2)
You are seriously claiming that a file-scan engine needs to be in the kernel? You are even more stupid that the average AC moron.
TFA Description Understates Impact (Score:2)
Most stupid design possible (Score:2)
You would think that of all things, scanning engines of AV products would have buffer-overflow protection in place. But apparently, these are the same bad 3rd-rated coders that are responsible for the problem in the first place. And doing this in kernel-space? How insane can you get?