Slashdot Mirror

There will always be kiddie. But Symantec should be focused on the CTO and the SMB/Enterprise customer. The kinds of places they've targeted these kinds products at.

Suggesting that DDOS attacks will go away would be silly, but as a business concern which security companies have whipped up to a somewhat feverish pitch this is a sign that these concerns are changing. Anyway, DDOS solutions where probably nowhere near as lucrative as other more trendy areas of network protection (spam/worms/malicious web-content filtering/ids/data retention etc).

I began to evaluate PatchLink Update for my employer. I liked what I saw, but I was a bit concerned with the trust model, and also its dependence on Microsoft SQL Server for its backend (we managed to negotiate an acceptable cost for the PLU license, but the SQL Server license for our site was horribly expensive - even at educational rates - unless we ran multiple PLU servers each backended by MSDE. A while ago, I was told about Symantec LiveState Client Management Suite. I've only seen a demo so far, but I liked what I saw, and I plan to evaluate it further together with other interested colleagues. The things I like most were that a) the usual way to create packages (and these could be patches or updates, of course) is to record the UI interactions during a normal install to a script file, meaning that there's no need to depackage whatever (semi-)proprietary installer is being used, ensuring greater reliability and b) its powerful dependencies system, seemlingly having the potential to provide equivalent functionality to Linux's yum or apt.

I think you're right - large amounts of traffic for little work, even if it isn't targeted. I'd never stoop to that level, especially not for my own site, Backup Exec FAQ, a user-contributed support site for Symantec Backup Exec. ;)

Who said it's Windows malware?

I thought I'd be a smart-ass and show you that it didn't run on Linux. But, damn! I have Wine installed.

./News.exe Could not stat /mnt/cdrom (No such file or directory), ignoring drive D:
err:win32:PE_fixup_imports No implementation for lz32.dll.2(LZCloseFile) imported from F:\News.exe, setting to 0xdeadbeef
wine: Unhandled exception, starting debugger...

so please explain why, after eight years on the market, Macs running OS X have precisely zero infections

Because you're either a liar or a moron.

Back in 2004 this trojan was found in the wild. Yes that's "in the wild", not some proof of concept crap. This is an actual backdoor running out there on more than 1 Mac. There are other worms and viruses but again because so few people run a Mac it's not widespread. This was 2004, Apple's market share is growing, they are getting more and more bugs and being worse about fixing them. If Mac is getting burned this bad at only 6.38% market share I really shudder to think how bad it would be if they ever got really big.

Using a Mac and claiming you're more secure is like moving to the woods and claiming your crime rate is lower.

To be fair, Symantec didn't call Windows "more secure", the news article did.

Symantec's Report

While I agree for the most part, the report that the summary doesn't reference is actually pretty good. I know, because I was 1/6 of the people who wrote it. And we have nothing to do whatsoever with the people who write the antivirus stuff, we aren't even in the same country.

This article is purely about medium- or high-impact vulnerabilities in the OS or software that comes with the OS that were patched. Unfortunately for Linux, that means almost everything.

You can read the full report here. That's a much better source than the news.

So, before we start trashing a href="http://Symantec.com">Symantec... Has anyone actually read the threat report? I didn't see anywhere that they ranked the Operating Systems in order of Most to Least secure. Also, the report makes no claim that Windows is the most secure. The Article by Internetnews says that, not Symantec. I mean, if I'm wrong, please point out where it says this in the actual report.

If I make a report that says 5000 people die in swimming pools every year, and 100 people die from base jumping, that doesn't mean I am saying that swimming is more dangerous than base jumping. If internetnews comes along and says that, well, that's their misguided interpretation.

The report gives the facts. The article takes the facts and manipulates them to say something that isn't implied. Only an idiot would make those conclusions.

1. The post links to a report on internetnews.com, not Information Week, as reported.
2. The InternetNews.com report links to the Symantec summary web page, which does not mention Microsoft at all . Moreover, it is a report on Internet Security, not operating systems. (A bit more about that next.)
3. The report itself is a 104 page (PDF) document (including 24 pages of appendices), which mentions Microsoft mostly in minor points, and in the following contexts:
   1. The Executive Summary does not mention Microsoft at all, nor does the Internet Security Threat Report Overview.
   2. The first mention of Microsoft comes in the Attack Trends Highlights of the Executive Summary Highlights, and it is not flattering: "Microsoft Internet Explorer was targeted by 77 percent of all attacks specifically targeting Web browsers."
   3. Similarly, under Vulnerability Trends Highlights (also under Executive Summary Highlights), the next mention is also not flattering: "Symantec documented 54 vulnerabilities in Microsoft Internet Explorer, 40 in the Mozilla browsers, and four each in Apple Safari and Opera."
   4. The next mention of Microsoft comes on page 19, under the heading, Threats posed to Windows Vista becoming evident. This comes after an Executive Summary Discussion that does not mention Microsoft anywhere in its ten pages. So far, I'm not feeling the "surprise" factor mentioned by david_g17.
   5. The first conclusion reached in the discussion of threats to Vista is that "Microsoft's Security Development Lifecycle, while thorough, does not necessarily identify all potential vulnerabilities." I am starting to feel some surprise, but it relates to how david_g17 interpreted this story.
   6. The discussion of threats to Vista identifies vulnerabilities, malicious code and attacks against the Teredo protocol. It simply does not say anything to indicate that Symantec believes Vista to be in any way superior to other operating systems with respect to security.
   7. The next mention of Microsoft comes under the section on Attack Trends, and concludes: "Microsoft Internet Explorer was targeted by 77 percent of all attacks specifically targeting Web browsers."
   8. The next mention of Microsoft is essentially a footnote that singles out two Microsoft vulnerabilities in attributing a peak in bot activity. This is not necessarily a criticism of Microsoft, but it would hardly lead one to think of Microsoft as superior to other vendors.
   9. Next, under Vulnerability Trends, "Symantec documented 54 vulnerabilities in Microsoft Internet Explorer, 40 in the Mozilla browsers, and four each in Apple Safari and Opera." Um ... doesn't this mean that Microsoft is less than other vendors? Yes, I know, it's about browsers, not operating systems. Wait. Didn't Microsoft blur this distinction a little bit with their bundling strategy?
   10. Finally ... in the subsection, Patch development time for operating systems, almost halfway through the report, Symantec does give david_g17 his fodder: "Microsoft Windows had the shortest average patch development time of the five operating systems in the last six months of 2006".
       However, that same section concludes "The risk of exploitation in the wild is a major driving force in the development of patches. As with previous periods, Microsoft Windows was the operating system that had the most vulnerabilities with associated exploit code and exploit activity in the wild (emphasis mine). This may have

1. The post links to a report on internetnews.com, not Information Week, as reported.
2. The InternetNews.com report links to the Symantec summary web page, which does not mention Microsoft at all . Moreover, it is a report on Internet Security, not operating systems. (A bit more about that next.)
3. The report itself is a 104 page (PDF) document (including 24 pages of appendices), which mentions Microsoft mostly in minor points, and in the following contexts:
   1. The Executive Summary does not mention Microsoft at all, nor does the Internet Security Threat Report Overview.
   2. The first mention of Microsoft comes in the Attack Trends Highlights of the Executive Summary Highlights, and it is not flattering: "Microsoft Internet Explorer was targeted by 77 percent of all attacks specifically targeting Web browsers."
   3. Similarly, under Vulnerability Trends Highlights (also under Executive Summary Highlights), the next mention is also not flattering: "Symantec documented 54 vulnerabilities in Microsoft Internet Explorer, 40 in the Mozilla browsers, and four each in Apple Safari and Opera."
   4. The next mention of Microsoft comes on page 19, under the heading, Threats posed to Windows Vista becoming evident. This comes after an Executive Summary Discussion that does not mention Microsoft anywhere in its ten pages. So far, I'm not feeling the "surprise" factor mentioned by david_g17.
   5. The first conclusion reached in the discussion of threats to Vista is that "Microsoft's Security Development Lifecycle, while thorough, does not necessarily identify all potential vulnerabilities." I am starting to feel some surprise, but it relates to how david_g17 interpreted this story.
   6. The discussion of threats to Vista identifies vulnerabilities, malicious code and attacks against the Teredo protocol. It simply does not say anything to indicate that Symantec believes Vista to be in any way superior to other operating systems with respect to security.
   7. The next mention of Microsoft comes under the section on Attack Trends, and concludes: "Microsoft Internet Explorer was targeted by 77 percent of all attacks specifically targeting Web browsers."
   8. The next mention of Microsoft is essentially a footnote that singles out two Microsoft vulnerabilities in attributing a peak in bot activity. This is not necessarily a criticism of Microsoft, but it would hardly lead one to think of Microsoft as superior to other vendors.
   9. Next, under Vulnerability Trends, "Symantec documented 54 vulnerabilities in Microsoft Internet Explorer, 40 in the Mozilla browsers, and four each in Apple Safari and Opera." Um ... doesn't this mean that Microsoft is less than other vendors? Yes, I know, it's about browsers, not operating systems. Wait. Didn't Microsoft blur this distinction a little bit with their bundling strategy?
   10. Finally ... in the subsection, Patch development time for operating systems, almost halfway through the report, Symantec does give david_g17 his fodder: "Microsoft Windows had the shortest average patch development time of the five operating systems in the last six months of 2006".
       However, that same section concludes "The risk of exploitation in the wild is a major driving force in the development of patches. As with previous periods, Microsoft Windows was the operating system that had the most vulnerabilities with associated exploit code and exploit activity in the wild (emphasis mine). This may have

Symantec operates one of the most popular forums for the disclosure and discussion of vulnerabilities on the Internet, the BugTraq(TM) mailing list, which has approximately 50,000 direct subscribers who contribute, receive, and discuss vulnerability research on a daily basis. Symantec also maintains one of the world's most comprehensive vulnerability databases, currently consisting of over 20,000 vulnerabilities (spanning more than a decade) affecting more than 45,000 technologies from over 7,000 vendors. The following discussion of vulnerability trends is based on a thorough analysis of that data.

Symantec classified four percent of all vulnerabilities disclosed during this period as high severity, 69 percent were medium severity, and 27 percent were low severity.

Wow, I didn't even know Symantec even makes anto-spyware or the mac, especially since it doesn't exist (for now).

it also helps if you design the code based on security from the beginning instead of attempting to bolt-on security like it's another feature when it definitely isn't.

If I remember correctly, you can manually download and install the updates... Try this link: http://securityresponse.symantec.com/avcenter/defs .download.html

Symantec lets you legally download their updates, for free, from their FTP servers. ftp://ftp.symantec.com/AVDEFS/norton_antivirus/. Extract the files from the .exe to NAV's Incoming directory using WinRAR and you're good to go. (One minor problem is that the newest version of Norton's security bloatware seem to "protect" their program directories by default, so you have to disable that setting in order to install updates manually.

And if you look around online, there's actually a Windows batch file that will do it for you automatically. You can even schedule it with Windows Task Scheduler.

it seems some symantec employee is wasting his time,

http://www.symantec.com/enterprise/security_respon se/writeup.jsp?docid=2007-022810-3637-99&tabid=2

It appears that Symantec has finally begun moving to daily updates. Information about their Live Update system indicates that for their 2006 home user product daily updates were available. Users of prior versions of the product receive only weekly updates. They have been under tremendous pressure from customers to make daily updates available for several years. I'm glad to see them finally moving that direction.

why bother writing a story about a story when you can just link to the original

http://www.symantec.com/enterprise/security_respon se/weblog/2007/02/an_example_of_why_uac_prompts.ht ml

SymNRT (download) will remove all the remaining bits and pieces of whatever Symantec/Norton crap is still there.

SymNRT (download) will remove all the remaining bits and pieces of whatever Symantec/Norton crap is still there.

It doesn't play nice with uninstallation at all.

Even after uninstalling, you need to download and use a special cleaning tool to get rid of all of the files and registry entries that piece of crap software leaves behind.

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf /docid/2005033108162039/ (Skip all of the instructions for reinstallation of Norton, just run the tool.)

Alternatively, get it here:
http://www.majorgeeks.com/Norton_Removal_Tool_SymN RT_d4749.html

Uninstalling Norton has been known to hose systems, so be careful (make backups, etc) before attempting to uninstall. And make sure you run the tool :)

Symantec says "SystemDoctor is a Security Risk that may give exaggerated reports of threats on the computer. The program then prompts the user to purchase a registered version of the software in order to remove the reported threats."

I completed the unpleasant task of helping my wife get started with a new HP computer, preloaded with Windows XP Home and a plethora of shovelware. We spent hours watching dialogs pop up suggesting that we download this, register that, and update the other.

Practically the first thing that happened was that Norton Internet Security popped up a huge scary dialog warning us that we hadn't turned it on. The next thing was a huge scary dialog saying that it had found a security risk in her system. The problem it had found was that it apparently ships with no virus definitions at all, and required about twenty minutes over broadband to download and install some seventeen thousand of them. The next thing was a huge scary dialog saying that we needed to register with Symantec (presumably so that it can give us a huge scary warning at the end of the free 60-day trial).

The next thing was a huge scary warning that we needed to turn off Windows Firewall, which to Microsoft's credit is apparently preinstalled turned on and functioning, so that we could use Norton Internet Security's firewall instead.

The next thing was a huge scary warning that we had attempted to change Internet Explorer's home page from an AOL signup offer to my wife's existing "my Yahoo" page.

Every time she launched an application a little yellow flag would rise up from the taskbar to tell her that Norton Internet Security noticed that she had launched an application.

And from time to time it puts up a message box with no apparent purpose other than to tell her that Norton Internet Security is running properly. "Exaggerated reports of threats on the computer?" "Prompts the user to purchase a registered version of the software in order to remove the reported threats?" To be fair, although it did prompt her to register, I don't believe it will prompt her for a purchase until the end of the sixty days.

But the thing is the most intrusive, obnoxious, offensive piece of crap I've ever seen. It makes Clippy look adorable by comparison.

Presumably she needs more than just an antivirus program (ClamAV). If anyone has any recommendations on a well-behaved, friendly security program for Windows XP that isn't in your face all the time, I'd love to hear it.

P. S. The reason we bought a machine with XP is that my wife has been stalling on a much-needed upgrade for about three years now, and what she read about Vista was what convinced her that we needed to run out immediately while we could still get a machine preloaded with XP. Do you think she is being included in these statistics that show that Vista has boosted PC sales...

The aplore worm used the same trick in 2002 except it setup a web server on each computer and sent a URL pointing to it in IM windows. I'm sure there are earlier examples but that is the first one off the top of my head.

Ramen.

And before anyone answers "EVERY month is the Month of Windows Bugs" I mean where someone publishes a nice calendar or even just an easy-to-reference list.

This looks pretty decent: SARC Vulnerabilities.

Not if you ghost the drive after doing the upgrade.

Totally off-topic, but I initially read that as, "Not if you ghost drive after doing the upgrade," thinking "ghost driving" was something like "ghost riding". I could see how ghost riding your "whip" (and subsequently crashing or getting it stolen) could make OS disaster recovery less irritating by comparison.

Then I realized you meant Norton Ghost, the drive-imaging software, and your comment was suddenly much less funny.

The sender encouraged clients to download a "spam fighting" application.'"

The trojan in question only runs on Windows.

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

I'm not knocking Windows, the users contributed by not running antivirus software and not being terribly bright. But this is why I don't ever access any of my banking or investment accounts with Windows.

Just makes it that much harder to automate installation of a keylogger.

Norton AV 2007 boasts rootkit protection.

The vast majority of the virus scanning/blocking software is THIRD PARTY, as is much of the spyware detection software. For your reference:

http://www.symantec.com/
http://www.mcafee.com/

You say this with what evidence?... You know you're on Slashdot when a product that isn't even out yet has already been relegated to the insecure/unsafe/junk software category.

Truth is, every new piece of software is insecure junk until proven otherwise. Almost always, that takes time and exposure, and patches. Certainly that's been the case with past MS OS's, and Vista has a lot of new code. Sorry, nobody gets tens of millions of lines of new code exactly right the first time. You'd be insane to throw out XP for Vista on security grounds right now.

We found a malicious Word document that was written in Portuguese and added detection for it as Trojan.Mdropper.T. The document contains an exploit that drops an executable file, which then installs a downloader threat and opens a clean Word document in an Asian language with some strange predictions about the future. The downloader then downloads a keylogger/infostealer.

Why should I care why there are no viruses? There are none, that's all that matters.

Don't forget trojans -- there have been trojans on OS X. You should care because when you make smug comments about Windows, you should know just what, exactly, is protecting you. If it is only obscurity, then you have no cause to be smug. Let's say that everybody buys into Apple's commercials and switches from Windows to Macs. Will the Macs prevent today's abysmal security situation from repeating itself?

There are dozens of browsers and dozens of Mail clients, all with a frai market share.

I'm willing to bet most users Safari or Firefox. I did some googling, and a cursory glance supports that view.

Macs are just more secure.

This comes back to my original question. I wanted to know what security the Mac offered that let users download and run arbitrary programs without worrying about malware. The only technical answer I've seen is user privileges. As I understand it, you don't have to have admin rights to install an application, and malware can infect these applications. At least, that's my understanding based on OSX.Leap.A. Seems to me that all the ingredients are there for Mac users to experience the same misery as Windows users, but given the small market share, there's no focus by malware writers.

"See a recent podcast by Steve Gibson on Vista's new stack"

NO! Skip Gibson's gas-bagging and go directly to the source document:

http://www.symantec.com/avcenter/reference/ATR-Vis taAttackSurface.pdf

It's very good.

First they come up with the hypothetical Mac "virus" that can hypothetically execute code if you manually download it and run it. And now it's the hypothetical BlackBerry malware that will hypothetically execute code if you manually download it and run it.

What an absolutely pathetic attempt at marketing from the once grand antivirus company.

Like most, I carry Knoppix, and I've had good luck with the System Rescue CD.

There's another few discs I like to keep with me, not so much against system failure but against "OS rot": a copy of Norton Ghost, and a ghost image of my XP partition, made just after install of the system and my favorite apps. A split copy of the image will fit on 2 4.5GB DVDs. Sometimes I don't bother and just put the image on a 2.5" USB-HD enclosure I carry.

If you adopt a good filesystem architecture, keeping your personal files on a separate partition, you can blast the ghost back into the boot partition whenever Windows starts puking on device drivers or doing whatever crufty XP behavior drives you nuts.

Ghost isn't free, and this takes DVDs to work, but it allows me to bounce my XP every month or so, making it work pretty smoothly. Also, I'm guessing M$ doesn't really condone this sort of Windows usage - software activation makes the technique a little hinky.

Anyone know of a cheap-as-free alternative to Ghost for this solution? The key functionality would be image splitting to disc sizes, bootability of the app itself, and boot drivers for CD/DVD drives and HD enclosures.

It's typical MS fud. They LOVE to harp on how many bugs their competition has, but there is a hell of a lot more to it than quantity. Slammer anyone?

Oracle is a huge robust database with lots of extremely security conscious clients. A high number of reported bugs and fixes shows that they're executing due diligence, and working to keep their system as secure as possible. MSSQL's low number of bugs suggests that Microsoft isn't digging hard into their code, but only waiting for big public flaws.

They used the same argument in claiming that IE was less buggy than Firefox (see this crappy article) and it's just as untrue in this case.

Not true.

If an admin knows that his company is being attacked he can make sure that all systems within the company get updated anti-virus definitions IMMEDIATELY instead of on a time interval.

There are solutions, but the only way the Symantec can offer them is by converting to a service (not product) model.

That's putting your foot in your mouth, CEO...

LOL!

Talk about putting your foot in your mouth, Symantec has a service called DeepSight that can inform an admin when their domain is being attacked.

Having said all that, aimed at keeping the bad kids out of the lab, it is a shame that trojans, bots, viruses, etc. from all over the world will soon get into these boxes and turn them into a zombie farm or something.

The boxes can be virus scanned using f-prot with a livecd knoppix linux. (See screenshots, below)
I find that it can do that just as good as Norton AV.

http://www.symantec.com/enterprise/products/overvi ew.jsp?pcid=1001&pvid=869_1 we have one at my work. many of our customers have them.

I think that in the blaster days there was a copycat worm that downloaded the microsoft anti-blaster patch and installed it...

That would be Welchia:
http://www.symantec.com/security_response/writeup. jsp?docid=2003-081815-2308-99

...(in fact I know there was, because I got 'hit' with it).

The only bad thing about Welchia (aside from it installing patches on your system without your permission) was that it did not throttle its traffic when it came to looking for new machines to patch. It flooded or swamped network segments as it probed new machines to work on. If Welchia had been a little more subtle with its scanning, Welchia's presence would have been less of an issue.

Wasn't there a variant on the blaster worm that uninstalled the original blaster worm and replaced it with a new variant?

I'm sure this has been done before.

Ah, yes. The Welchia worm!

Boring. Next please...

You don't need direct access to the Kernel to do damage. You really don't think a browser can launch a malicious program? Why don't you look up Exploit.OSX.Safari? Want to guess why it has the word "Safari" in its name? Its not because it shows you pictures of wild animals.

And I'm sick and tired of hearing this myth put out. Of course there are viruses for Mac OS X out there. All it takes is a few minutes on Google to confirm this. For instance OSX/Leap-A, Inqtana, Exploit.OSX.Safari, Exploit.OSX.ScriptEx, etc.

Here is a question. If it were not possible to write viruses for Mac OS X, why is there anti-virus software out there for it?

Peddling this "OS X is virus-free" myth is not only wrong, it is dangerous. How many people out there fail to set up their Mac with sufficient security because they have been hearing nothing but "only Windows has viruses"? Once someone does come around with a serious virus for OS X, how many people will be unguarded because they heard this line from people like you?

I am both a Mac user (g3 iBook) and a PC user (dude, I got a Dell).

And there is stuff in the wild against OS X:

http://www.macrumors.com/pages/2006/02/20060216005 401.shtml

http://www.macrumors.com/pages/2006/02/20060216234 239.shtml

http://www.symantec.com/security_response/writeup. jsp?docid=2006-021614-4006-99

It is rather weak, but out there.

Sorry, but besides the fact that it's illegal and unethical, it would probably only make things worse anyway.

The Nachi worm that tried to fix Blaster worm infected PCs back in 2003. Unfortunately, the "cure" was worse than the disease.

Erm, that would be SEMANTIC web, as in the word "semantic" (see http://dictionary.reference.com/browse/semantic) not Symantec, as in the security software company (see http://www.symantec.com/index.htm).

It's all semantics, anyway I guess. Jesus.

Symantec web?