Slashdot Mirror
Symantec Antivirus May Execute Virus Code
An anonymous reader writes "Symantec has admitted that a serious vulnerability exists in the way its scanning engine handles Ultimate Packer for Executables. According to a ZDNet article, this means the scanner would execute the malicious program instead of catching it. Tim Hartman, senior technical director for Symantec Asia Pacific, said: "A vulnerability is not a vulnerability till somebody discovers it but because this is now known, somebody could craft an e-mail, mass mailer or a virus that takes advantage of it. It affects our firewalls, antispam, all the retail products and the enterprise products as well"" Symantec recommends you immediately patch your software.
"No updates available for this product."
I've checked several versions, starting with the corporate edition which we use.
I use AVG on all my company systems and can say that in addition to being free, AVG provides the best anti-virus protection around. After F-Prot started losing ground to Windows-based scanners, AVG has done a remarkable job in stepping up to the plate.
AVG, free and worry free. (This was not a paid endorsement)
"A vulnerability is not a vulnerability till somebody discovers it..."
Huh? So if someone inadvertently takes advantage of a vulnerability, it's not really a vulnerability because they didn't explicitly know they were taking advantage of it?
I'll turn into a supernova and burn up everything. Well I'll turn into a black little hole and you'll turn into string.
May I be the first to congratulate our executable overlords!
http://fedora.redhat.com/
No time to waste! Systems may already be infected, so better get offline immediately, review what installed software is at risk and start figuring out a way to get the patches... no, wait, I run linux.
Wonder what's on TV tonight?
Trust the Computer. The Computer is your friend.
if you went in for an STD test and they gave you herpes!
The UPX license expressly prohibits modifying exes after they've been compressed.
Because it proves that tool vendors are really some of our worst enemies and closed source tool vendors are the worst of all.
They have their hand out day after day for maintenance and updates and yet never REALLY bother to check if their own crap is working correctly.
Just another reason to go to free anti-virus software, such as AVG or Avast. I have removed Norton from all my personal computers and replaced them with Avast.
I just wish big corporations would realize that by using Norton/Symantec, that they are using the most targeted [by antivirus-disabling viruses] antivirus software out today.
Come on! A cardboard door is not a vulnerability until someone figures out how to get it wet?!
Like all talking heads the guy didn't think before opening the mouth. The problem is this : you don't know if anyone had previously found this vulnerability. So you can't say it wasn't a vulnerability before *you* found it or before it was reported to *you*. The are unknowable numbers of unknown vulnerabilities and known numbers known vulnerabilities. You cannot know the size of the unknown set -- even if it is in reality the empty set.
Microsoft has tried to go this rout by trying to stifle any release of "known" vulnerabilities so that they can't be exploited by the masses. See how well THAT worked? They should work at faster release of updates instead of waiting for it to become a serious issue... Especially with something THIS severe...
I haven't lost my mind. It's backed up on disk somewhere.
From TFA:
A vulnerability is not a vulnerability till somebody discovers it
So that's how security works! Supress knowledge of the problem!
It's nice to see that Symantec's corporate culture hasn't changed very much since the days when Peter Norton thought computer viruses were an urban legend.
You know all those idiotic flamewars that spring up whenever the "irony" tag is used?
Once and for all - THIS is irony. You can shut up now.
I gave up on NAV. Always wanting subscription cash. Always wanting you to upgrade.
AVG for free is for me.
Help end the use of Sigs. Tomorrow
OMFG. Who would say it's not a vulnerability until it's known? Known by whom? If a black-hat knows, and shares it quietly with other black-hats, thi scould be devastating without ever being "known." This is security by obscurity, except it isn't well obscured.
Or did Symantec know, and just not mention it to their customers (so it wasn't "known") ?
"A vulnerability is not a vulnerability till somebody discovers it." This sort of rubbish is a rather amusing reflection of corpthink.
It's rather like saying "A law of Physics isn't a law of Physics until somebody discovers it."
A vulnerability is a vulnerability, period... meaning that something is vulnerable. Whether or not anyone's yet realized it's vulnerable is another story.
If you didn't put a lock on your door, would it "not be unlocked" until someone came by and realized that the door lacked a lock?
Honey, I shrunk the Cygwin
Every time I go at someones house and they have "technical" questions, I walk to the computer to find 80% of the time... McAfee that dates back to 2000-2002 (the other 20% is NAV). No warning that it's not updating anymore or anything. People assume that the icon on the tray is there and they feel safe. I nuke it and install AVG. Work great. Less of a ressource hog (especially comparted to NAV) and oh yeah.. it's FREE as in beer!
I'm actually quite surprised that Symantec posted the notice about this publicly, rather than simply including an update in its next online patch.
br Definately a bad vulnerability, but kudos for being honest about it. I wonder though how liable they are to damages... not good when antivirus software actually ends up trigging the infection.
Is it just me, or is the patch/update download site already slashdotted? I can't get it to load.
Everytime I see a machine come into my store with a Symantec or a McAfee product I recommend a better solution. Running AntiVir or AVG on a machine with either product will almost always produce a large list of positives, even if they are spyware related trojans just waiting to be run to download tons of crap. But then I also recommend and will install Firefox (or another mozilla based browser) on anyones machine. Machines with Firefox tend not to come back broken 2 days later.
This doesn't surprise me in the least with the quality I've experienced with their products. After I recommend another solution, everyone seems to say something about it being recommended at Best Buy/CompUSA. And if the worker there thinks it's good, it must be. Wonder if they get a kick back on Symantec products?
rm -rf
http://www.kaspersky.com/downloads
Less complex systems fail less often and when they do fail they tend to fail in more predictable ways only partially because there are fewer dependencies for people to track.
....Norton Antivirus/Internet Security is the biggest piece of shit excuse for security software EVAR. It is poorly designed, poorly implemented, always breaks, and the only fix is "please reinstall NIS".
Now they're getting into spyware/adware removal, and Norton will always find stuff, but when trying to deal with it it just gives a 'delete failed' message and that's it. And it will continue to nag you about things it finds.
People who don't know anybetter see these displays in best buy, and believe the hype and go home and install this paranoiaware. If it is NIS it promptly breaks their internet connection and screws up their email client. If they call symantec for help in configuring, symantec will refer them to their ISP.
What a bunch of fucks. Color me mofo, but i'm telling people to uninstall NIS these days (and the funny thing is that complete removal often requires registry hacking). It's more trouble than it is worth. Tech support is bad enough without this crap.
do() || do_not();
That's because your fucking software is built to run in ActiveX! So when I get a virus in ActiveX, it shuts down ActiveX after embedding itself on my system, therefore Norton AV will NOT run and fails to clean up the virus. Congrats, I'm now a zombie. Thanks you stupid mother fuckers.
-- Game Developers: Stop porting badly-textured games from crappy console systems!
> > "A vulnerability is not a vulnerability till somebody discovers it..."
> Huh?
Sir Lancelot: "I hate to go into battle with this big f*ing hole in my chainmail, but fortunately my tabard will hide it."
Sheesh, evil *and* a jerk. -- Jade
Anyone can find reference to it on Symantec site?
Is it vulnerable?
and what if *.exe files are blocked via the extension name rule? the vulnerability still exists?
Reboot your computer.
The bios will make sure, that the correct kernel is loaded. The kernel will make sure, that the newest update from Norton is installed, and the newest update from Norton will remove the viruses.
We can only hope.
Many Bothans died to bring you this sig.
#!/bin/sh /`
echo Scanning...
for file in `find
do
sudo $file
if system_still_running
then
echo File $f OK
fi
done
the antivirus program has become the very thing that it has been programmed to stop.
Yeah right, like OSS NEVER ships with any exploitable code. It's not that some code can be exploited, it's what happens when the exploit is found. It appears that Symantec is addressing the issue quickly, which is the best that can be hoped for, open or closed source.
I hope you're just trolling and you don't actually believe the crap that you're spewing.
Got this link from Platinum support. UPX Parsing Engine Heap Overflow
It provides a bit more information on the specific builds that are a problem. Affects a great deal of their software.
Viruses (not that i have seen a real one in ages)/spyware/trojans/rads/ already kill scanners because they can,
they just find the process and kill it even "protected processes", they even do firewalls too, many just carry a list of the most popular filenames and if it spots the process it kills it, rips it registry entries out and voila , no protection, disabling a virus scanner or software firewall is trivial at best (of course the key is if the malware is not identified by the scanner first)
i have had 0-day worms infect my customers who had Symantec protection (with daily! updates) and because that signature had never been seen before it ignored the worm until it had sent 200 emails from the contact list (with a copy of itself) and the user spotted the Word was slow because the scanner was scanning 200 outgoing mails
which meant that the antivirus failed its job , and could no longer be trusted, symantec was at that point a waste of money
the flaw is in the way Windows works itself not the virus scanner
The support engineer that I spoke with today stated that even though we have gold support you don't get notified for anything except "major . releases".
I had been complaining that I've been trying to get 9.0.3 for a couple of days now and customer support was a runaround and why can't I get updates like I should be.
He then told me that the MR packs are "not available unless you call tech support".
I then spent 15 minutes on the phone to customer service without speaking to anyone and hanging up.
He at least sent me a link to download the latest releases.
Thanks Symantec. I had to pull at your teeth to get you to talk, and only then you just spoke the least necessary. Great service.....:)
but some of us have seen this for ages, bitched and moaned about it, and switched people ultimately to other software because this has been happening for a LONG time. Ever notice how fully patched systems with Norton's on it (which is fully up to date, on broadband so it gets the updates immediately, etc) seem to still get viruses that Norton's just doesn't pick up. Hate to say this but this is common knowledge to most who deal with this everyday. For everyone else, here's your wakeup call. All of the major AV players are under attack.
If you want to have a secure system you have to use less software, not more. Virus scanner et al are part of the problem, not part of the solution.
"A designer knows he has achieved perfection not when there is nothing left to add, but when there is nothing left to take away." -- Antoine de Saint-Exuperyhttp://www.symantec.com/avcenter/security/Content/ 2005.02.08.html
The gist of it is that there is a heap overflow in a part of the Symantec antivirus engine that they call DEC2EXE. This is a decoder for compressed executable files. The idea is that you have to decompress it to scan the thing, this module does the decompression.
So a carefully crafted EXE file could overflow part of this code and cause arbitrary code execution.
This module isn't just in Norton Antivirus, BTW, it's in a heck of a lot of Symantec Antivirus products. So if you're running any Symantec anti-virus product, not just the home consumer stuff, you might want to head over there and get a patch.
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
It's not like FOSS haven't had their share of local arbitrary code execution exploits before.
Your hair look like poop, Bob! - Wanker.
For all their pandering and pushing paranoia-ware, i sometimes suspect that maybe, just possibly, some of these worms that get released might come from Symantec themselves.
Call conspiracy theory if you want, but it seems that with a lot of the "good" worms, Symantec is the first to announce it, and they've got a full analysis of what it does, how it works, what it's written in, etc, even if they claim the worm has only been "out" or "released" for 12-24 hours. This includes details that might be hundreds or thousands of varying filenames the worm will drop, what it does on certain times or dates that haven't occured yet, and various other things that are internal to the program itself.
Yes i know you can take an executable and reverse engineer it to see how it works, but i'm sure some things will get lost in translation. Plus, in their description of their buzzwords and jargon, they define "Zoo Threats" as worms that "only exist in antivirus labs".
I'm not saying that there *aren't* plenty of mofos around the world writing worms out of spite, but I think that sometimes the actions of Symantec might belie a hidden agenda.
Business is business.
do() || do_not();
...until someone discovers it?
Not a good way to think. That's like saying Iran having nukes isn't a concern becuase we haven't uncovered any direct evidence. The idea is to expose the vulnerability so you can do something about it.
---Technology will liberate us if it doesn't enslave us first.
I've had excellent luck with ClamWin
Karma: Chameleon (mostly due to the fact that you come and go).
I use AVG on all my company systems and can say that in addition to being free...
Wow - good job. I would like to direct you to this paragraph on Grisoft's site:
AVG Free Edition is for private, non-commercial, single home computer use only. Use of AVG Free Edition within any organization or for commercial purposes is strictly prohibited. Your use of AVG Free Edition shall be in accordance with and is subject to the terms and conditions set forth in the AVG Free Edition License Agreement which accompanies AVG Free Edition.
Perhaps you should upgrade.
I want to drag this out as long as possible. Bring me my protractor.
The linked article states that:
Symantec is distributing patches to its customers through its LiveUpdate automatic update service and other mechanisms. It warned companies that do not use those services to download the patches from its Web site and apply them as soon as possible.
So users with LiveUpdate should use tool to handle updates. BTW, my LiveUpdate didn't install any client patch. yet.
One more thing in my massive list of blocked attachments.
This remind me of Jennifer Government -
http://www.maxbarry.com/jennifergovernment/
One of the characters writes a trojan that works by exploiting a buffer overflow in the virus scanner (thus running even if the user never ran it, without needing bugs in further products), and also adds itself to central AV servers' virus signatures, which causes it to infect all AV clients when they update the signatures.
BTW, great book, and the "big companies taking over the world" theme is very Slashdot style .
Did Microsoft buy out Norton last week?
To be able to unpack a PE file, you must either get the official unpacking code from the developer (which is in many cases not possible), or you must make your own (well, obviously). Now, to make it yourself, you can extract the unpacking code from any file known to be compressed by the packer, and add that to your unpacking code, or you can actually copy out the code from the file you're currently unpacking and patch it so it fits your program. This works because you know the signature of the unpacking code and you know where in memory it will read/write.
The problem occurs if a known packer's unpacking code is amended do something else, but still fit the signature.
The main reason why they'd want to piggyback on the executable's code is due to the high number of versions of the packing code. They could quite easily crack them all as they appear, but if you use the file's own code, you have a generic unpacking routine that saves you lots of time and money.
What spyware does AVG install? (Other than the fact it infects all your outgoing email messages with ads for itself)
If that's not proof enough that companies tend to patch only AFTER their products are directly threatened, I don't know what is.
...because you never know who you're dealing with.
Just when you think the whole Microsoft world couldn't get any more pathetic, a gem like this happens.
Thank you Bill Gates. And thank you the millions of losers who use his products.
"A vulnerability is not a vulnerability till somebody discovers it" - Tim Hartman / Symantec
Hartman is saying a tree falling in a forest with no one to hear doesn't make a sound (actually, it makes the sound of one hand clapping). The severe problem with his philosophy as security corporation policy is that they don't know when it's discovered by someone. Saying it's only been discovered now that it's been published is a total misstatement of actual security: you have to assume that any hole is vulnerable as soon as it exists, and that you don't know who knows. This hole in their software has revealed more than a buffer overflow risk. It has revealed that Symantec can't be trusted with security when their own reputation is on the line: any day of the week.
--
make install -not war
You can download the patch here
Today's news is F-Secure Security Bulletin FSC-2005-1 Code execution vulnerability in ARJ-archive handling!
I tested the AVG server version here. I threw my file quarantine database at it, and it missed ~20% of the infected files that other AV products identified. The client scanner could be re-configured/disabled by the user. The uninstall cratered the server. It left a service is a condition that wouldn't allow the server to boot. I had to go into safe mode and clean up afer it to get it working. Two of the four test clients I was running it on failed to uninstall properly. Summary: The commercial version just doesn't seem ready for prime time.
I submitted this yesterday with a more Insightful^W Interesting^W Funny headline.
Worlds... colliding... *yeeaarrgh*
I want to drag this out as long as possible. Bring me my protractor.
Around 1994, the NATAS virus stormed computers all around the world. It was the first polymorphic virus. And it was undetectable with traditional means (didn't alter the exes' CRC).
McAffee released a new (experimental?) version of their antivirus, so that it would clean NATAS. Unfortunately, sometimes if you pressed CTRL-C, part of your programs' code would execute randomly (later, they released a completely different version, which effectively cleaned NATAS and similar viruses, without having such nasty bugs).
Frankly, this execute-to-test-for-viruses was always a bad idea. I don't know why Symantec fell into that. Unless of course, it's more like a buffer overflow, which is understandable.
http://www.symantec.com/avcenter/security/Content/ 2005.02.08.html
I've been waiting for something like this for a while now. A virus that either is triggered by antivirus software, or a virus that attacks and alters antivirus software. I'm surprised that it's taken this long. If the antivirus software is corrupt, the average home user is in a heap of trouble.
Granted, I don't know that it hasn't been done yet, but I don't recall hearing about it.
"No fair, you changed the outcome by measuring it!" - Professor Hubert J. Farnsworth
Huh? Have you ever used AVG? It's got NO spyware and no adware. The "signature" at the bottom of emails can be turned off or personalized. I have it setup to sign in (and IN only) emails with attachments that tells me the email is virus free. Please don't make false claims. Especially on great products like AVG.
Has anyone looked at open source alternatives as ClamWin and ClamAV for Windows. How do they compare to the commercial couterparts?
And other scan engines running in crossroad points in the network. If Syamentec ignores it is because sophos already deleted the virus.
Tal about putting all your eggs in one basket.\
Have a good one.
===== "Every head is a different world so don't invade mine you FREAK!" smartSAGA said
So as unlikely as it is that many Linux users are using a Symantec product, or that someone will target a Linux box, anything that is running a scanner(such as an email server) is vulnerable. Everyone needs to patch on this, not just the Windows guys.
Ha! Every single person whose computer I've serviced that runs Norton is running a copy of 2002 with a virus dat from 2001.
:)
But once again, I'd like to thank the virus writers and the goof up from Norton. You drive my business
Please don't make false claims. Especially on great products like AVG.
He probably works for McAfee.
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
#dd if=/dev/urandom of=/dev/hda
It got rid of all my virus, spyware and other Windows related problems!
You mean this is a manual upgrade? How insane is that? We can't do this manually on hundreds of machines.
Symantec recommends you immediately patch your software
Or, you can fire your mail admin for allowing executable files to even get to the point where they need to be scanned and get one that knows what they're doing. Your incoming SMTP should be rejecting any e-mail that has one, why bother scanning it? There are ways that were designed for transporting these things, e-mail was not it!
And, remember: when bitching about this, make absolutely sure you're loudly and clearly proclaiming this to be the fault of MS or Symantec. Otherwise, you run the risk of someone actually placing the blame where it really belongs: with the administrator who shouldn't have been affected by this in any way.
Which is more painful? Going to work or gouging your eye out with a spoon? Find out!
http://www.workorspoon.com
Tim Hartman, senior technical director for Symantec Asia Pacific, said:
"A vulnerability is not a vulnerability till somebody discovers it...
Impressive foresight. Another great security through obscurity business model.
No tiny Tim, if your tire can be flattened, it will be. It's that simple.
What does he think the term "known vulnerability" refers to? Does he think the converse doesn't exist?
use the MAC vesion--
NOD32 provides the best antivirus protection and has consistently won numerous awards that Norton can't even touch.
Want evidence of how solid it is? NOD32 is the antivirus app used on Microsoft's corporate networks...
I just got off the phone with my symantec rep, and he says any corporate edition anti-virus product 9.0.1.1000 or newer is not affected.
Anyone with a valid license can go to Symantec's fileconnect website and download the newest version.
-ted
I have a copy of NAV 2005 and I run LiveUpdate almost daily. I just ran it again and all it did was download a new virus definition. How can I tell if it's patched or not?
Here are some helpful resources on Virus Scanner tests if you can't decide which one to use:
m l? 3 9,pg,5,00.asp
http://www.virusbtn.com/vb100/archives/products.x
http://www.pcworld.com/reviews/article/0,aid,1159
Syamantec pretty much assume that if you are running SAV CE, than you use login scripts to push patches to machines. There is a section in the docs on the various flags to give the MSI for automated mode (eg, how to specify the group server).
(S(SKK)(SKK))(S(SKK)(SKK))
Don't worry about me, I'm safe. I don't have a virus scanner installed.
Any chance of a small "UPX overflow" checker? Would be great to have a simple way to detect if an upgrade is needed (ie. liveupdate not working properly, need new licenses, whatever).
Or perhaps a neutered virus that can be sent through email gateways, etc?
blah blah blah Linux blah blah blah
Between their thirst for your money with updates and having issues like this is why WinAntiVirus is the next real leader in the Anti-Virus arena. It is also the only program that seems to work well as an all-in-one with firewall, pop-up blocker, and Anti-Spyware software package. I gave up on Symantec a couple of years ago and put this on my WIndows boxes. I have no issues with any of this crap though on my linux boxes. I gues Microsoft will have to figure out a way to work or get left behind.
Perhaps you mean basking in their former glory?
did that happen to you too! That truly sucks, whenever it happens.
Symantec Antivirus May Execute Virus Code
I don't care if Symantec runs virus code, just as long as windows doesn't.
Coder's Stone: The programming language quick ref for iPad
What's a virus?
http://illhostit.com/ - Webhosting
How do you think that anyone can take anything you say seriously if you try to say something AND contradict it, within the same sentense???
A vulnerability cannot be a none-vulnerability, it's a breach of definition. As for: Those of us who don't reach up our arses for thoughts have this amazing ability to recognise the existance of things that aren't just every day objects, we've moved past "A is for Apple". And that's totally ignoring the fact that we CAN *physically* test laws of *physics* (notice how similar those words are? Do you think there could be a link?). Why do you remind me of the video that everybody's seen of the monkey trying to drink it's piss? Nope, it's a mystery.
I'm vulnerable to high speed bullets ripping my flesh apart... yet I've never been shot! I bet you're one of those people who think that trees fall silently when there's no person around to hear them aren't you?
The revolution will not be televised... but it will have a page on Wikipedia
http://www.gentoo.org
Gentoo, the Linux distro for Real Men.
I'm glad I switched from Symantec Corp to McAfee Enterprise a few months ago. While I'm not terribly happy with McAfee(uses lots of CPU when browsing directories with many gigs of files), Symantec really pissed me of when I removed it. I had to spend about an hour removing reg. keys that their uninstaller was too lazy to remove. It couldn't have been that difficult for them to have the installre remove them, but instead they give you a three pages of crap that you must remove from various locations in the registry. That has totally made me rethink using Symantec stuff again.
Every time you post an article on Slashdot, I kill a server. Think of the servers!
Norton Antivirus has been the biggest pile of $hit AV I've ever used. It routinely misses well-known trojans/viruses. I've gotten my system infected twice in the past by simply visiting a page in IE. Norton just shut down and my system got infected. Doing a free scan at housecall.trendmicro.com, Trendmicro was able to detec the virus easily. Norton just kept telling me no virus was found.
Stay far away from Norton. It's worthless.
eTrade SUCKS
A couple of days back they rated a hack that could theoretically forge you root access to a Mac OS X box if you (a) already had an account and (b) had physical access to the machine as 6.9/10.
Now we discover (really not surprisingly) that they themselves are a vector.
I wonder how long Symantec has been setting on this ugly beast, and how many have gotten "owned" because of it?
A month? Six months? A year?
Some of the holes in IE have been open for over a year.
Running with Linux for over 20 years!
I don't see this anywhere in the linked-to article. Maybe someone could point it out to me. If a spokesman for Symantec said this, he should immediately put out a correction since I'm confident his thinking was of an exploit as compared to a vulnerability.
But why is the rum gone?
The advisory also says says Symantec Antivirus Corporate Edition 9.01.1000 is "non-vulnerable." This update was also required for XP SP2 so it should already be widely deployed. This is the version I have installed and there is no Dec2EXE.dll present.
Peter Norton vs. Evil Virus:
BANG! Your dead!
RIP one Evil Virus.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
After a 30-minute call with Symantec (most of which was being on hold), I found out this information:
Go to http://licensing.symantec.com/. From there, you can select the Product Media link on the bottom of the page and Click to Download. Select your language, and then on the next page, enter your product's serial number. The serial number will probably be either on your product media or on your support certificate. This will take you to a link where you can download the entire product media for Symantec AntiVirus Corporate Edition v9.0.2.1000. Note that this is a 218MB download, so it may take a while, though I'm currently getting about 275KB/sec. I hope this helps everyone out!
That's helpful indeed, but after reading their website, I found that MR3, that is release 9.03.1000 is the latest, and it isn't available through the https: website. You still have to call them if you want MR3, whereupon they'll e-mail you a link to the FTP site containing the files, along with a login/password that is changed on a daily basis.
I was on hold for around 30-40minutes, which included being transferred from Licensing to Tech Support when Licensing couldn't find the 9.02.1000 on the https: website either.
Never look down your nose at others. Someday, someone is bound to see your boogers.
Sorry, but I'm a long time user of AVG free and I can say with certainty that it sucks...at least 10 plus times, I've scanned my system with other scanners and as soon as they scan an infected file, THEN and ONLY THEN does AVG tell me...this, instead of blocking them before they were written to my hard drive in the first place. That's crappy as hell.
Actually, there isn't a patch for this per se. They are releasing a bloodhound signature that should catch any currently unknown viruses that try to exploit this. This really isn't a patch. The only way to fully protect any machine with these Symantec Products is to upgrade to the latest version of the software.
But why is the rum gone?
... entire problem with the W95.CIH (Bloodhound/Chernobyl) virus for Win 95/98/ME users back in the day, where doing an AV scan would infect every accessed .exe? Why hasn't a safer method of scanning been brought about yet, despite obvious major threats like CIH once was?
When I am king, you will be first against the wall
With your opinion which is of no consequence at all
And cancer is not cancer until diagnosed?
Who still believes the 'security through obscurity' mantra these days?
--
Search is going mobile.
Isn't that the purpose of a virus checker? to execute the virus. I mean how else do you kill it?
Alex Wheeler and Neil Mehta from ISS who discovered the issue(s) will be giving a paper at CanSecWest (http://cansecwest.com) called "Owning Anti-Virus"... They've released an F-Secure advisory along the same lines... which other AV vendor(s) will be next on their list I wonder? :-)
... at least from what I have read so far. Funny thing is that I just updated it a couple days ago. Nonetheless, I'm still going to update it again just to be on the safe side.
I have finally dumped symantec antivirus. Repeating de-activations, despite having a genuine copy of the software. Persistant inability to remove viruses. Program bloat. Plus, NAV must be a target for all the virus authors.
I am so over that software. It's too old and fat.
I got a security notice form F-Secure today that outlined a similar vulnerability in several of their products (execute code).
http://www.f-secure.com/security/fsc-2005-1.shtml
http://shit.slashdot.org/article.pl?sid=05/02/10/1 327220
Just the first time Symantec has admitted it, I guess.
See the link in my sig blatantly pimping a software product? A while back, that product was compressed with UPX to make the download faster - UPX did a much better job of compressing the executable than either ZIP or Inno Setup. Things were good.
But that had to stop when I got mysterious complaints from users who said their computer would freeze for a minute or so each time they ran my program. Even stranger, their computer froze in exactly the same way when they installed the program. Turns out these users were all running Norton AntiVirus, and when NAV scans some (but not all) executables compressed with UPX, it just sucks. CPU time, that is. I searched the web and found some other reports of the same problem with other compressed apps.
I reported it to Symantec, and what did they tell me? Why, I must be mistaken! There's no incompatibility between NAV and UPX! Go away.
So I'm pleasantly surprised that they're actually admitting that a problem with UPX exists, even if it might not be the same one I encountered. Maybe once everyone has upgraded, I can go back to compressing the software I distribute.
Visual IRC: Fast. Powerful. Free.
Forget Crossover unless you KNOW the "power user" apps needed by a user are supported. Crossover/WINE works on a very small subset of Windows apps.
Win4Lin uses an actual copy of Windows (the version supporting W2000 should be out by now) and russ just about anything that ran on Windows to begin with. Win4Lin made it possible for me to run Linux (there is no good solution for porting Eudora mailboxes and address books) and wait for the Open Source graphics apps to grow up to the usable point.
You are right in that it's the power Windows users who are going to have trouble... plus anyone who wants to send documents outside an organization that's switched.
Little differences become big ones when an outside client or editor is the one that is complaining about them.
Tech Public Policy stuff
I think this was a (minor) plot point in Jennifer Government by Max Barry. Someone designs a virus that uses an overflow in NAV to get itself distributed to all the workstations in a company. I think in the book it was program designed to get NAV to create a pattern on the server that would crash the workstations when they were updated with it, but it still seems strangely similar.
For once, I'd like an honest, unbiased report on some important news on Slashdot.org. It seams to me that the common article posters word their posting in such a way to daemonize the coporate companies regardless of circumstances. In this particular post for example, Symantec has acknoledged several older products without recent updates are vulnerable to this attack, but recent products and even older software with recent updates are protected against such threats. http://www.techtree.com/techtree/jsp/showstory.jsp ?storyid=57565
Please control your anger against the corportate companies and recheck your facts. Thank you,
Dan Brown
Asheville, NC
my 8.10 build is not in the list of affected and non-affected.
:>
oh wellz
Wow, after freaking out trying to find a serial for our copy of SAV9.0 Corporate, they revised the original advisory saying that it's not vulnerable.