Slashdot Mirror
Symantec Antivirus May Execute Virus Code
An anonymous reader writes "Symantec has admitted that a serious vulnerability exists in the way its scanning engine handles Ultimate Packer for Executables. According to a ZDNet article, this means the scanner would execute the malicious program instead of catching it. Tim Hartman, senior technical director for Symantec Asia Pacific, said: "A vulnerability is not a vulnerability till somebody discovers it but because this is now known, somebody could craft an e-mail, mass mailer or a virus that takes advantage of it. It affects our firewalls, antispam, all the retail products and the enterprise products as well"" Symantec recommends you immediately patch your software.
"No updates available for this product."
I've checked several versions, starting with the corporate edition which we use.
I use AVG on all my company systems and can say that in addition to being free, AVG provides the best anti-virus protection around. After F-Prot started losing ground to Windows-based scanners, AVG has done a remarkable job in stepping up to the plate.
AVG, free and worry free. (This was not a paid endorsement)
Got this link from Platinum support. UPX Parsing Engine Heap Overflow
It provides a bit more information on the specific builds that are a problem. Affects a great deal of their software.
The support engineer that I spoke with today stated that even though we have gold support you don't get notified for anything except "major . releases".
I had been complaining that I've been trying to get 9.0.3 for a couple of days now and customer support was a runaround and why can't I get updates like I should be.
He then told me that the MR packs are "not available unless you call tech support".
I then spent 15 minutes on the phone to customer service without speaking to anyone and hanging up.
He at least sent me a link to download the latest releases.
Thanks Symantec. I had to pull at your teeth to get you to talk, and only then you just spoke the least necessary. Great service.....:)
http://www.symantec.com/avcenter/security/Content/ 2005.02.08.html
The gist of it is that there is a heap overflow in a part of the Symantec antivirus engine that they call DEC2EXE. This is a decoder for compressed executable files. The idea is that you have to decompress it to scan the thing, this module does the decompression.
So a carefully crafted EXE file could overflow part of this code and cause arbitrary code execution.
This module isn't just in Norton Antivirus, BTW, it's in a heck of a lot of Symantec Antivirus products. So if you're running any Symantec anti-virus product, not just the home consumer stuff, you might want to head over there and get a patch.
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
Reports that say that something hasn't happened are always interesting to me, because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns -- the ones we don't know we don't know.
The linked article states that:
Symantec is distributing patches to its customers through its LiveUpdate automatic update service and other mechanisms. It warned companies that do not use those services to download the patches from its Web site and apply them as soon as possible.
So users with LiveUpdate should use tool to handle updates. BTW, my LiveUpdate didn't install any client patch. yet.
Given the current business risk of operating on a virus-encumbered operating system like windows, it surprises me that a plan to transition employees has not already been started. Unless of course, the occasional couple of days of downtime is an acceptable business cost. Really, if you factor in the additional costs of running windows over running JUST ABOUT ANY OTHER OS, you could easily make a solid business case to at least INVESTIGATE the possibility of running on a more secure OS. I am sure you will find equivalent applications to replace most of your internal windows-based programs, and for the ones you cannot, there is the possibility of running them under WINE. It also would not be difficult to come up with a plan to transition your thousands of employees - and executives WILL listen if it means you could save them time and frustration. Yes, it demands work up front - but that's easier to schedule than unexpected downtime from the latest wave of viruses.
Around 1994, the NATAS virus stormed computers all around the world. It was the first polymorphic virus. And it was undetectable with traditional means (didn't alter the exes' CRC).
McAffee released a new (experimental?) version of their antivirus, so that it would clean NATAS. Unfortunately, sometimes if you pressed CTRL-C, part of your programs' code would execute randomly (later, they released a completely different version, which effectively cleaned NATAS and similar viruses, without having such nasty bugs).
Frankly, this execute-to-test-for-viruses was always a bad idea. I don't know why Symantec fell into that. Unless of course, it's more like a buffer overflow, which is understandable.
Sorry... http://www.symantec.com/avcenter/security/Content/ 2005.02.08.html
So as unlikely as it is that many Linux users are using a Symantec product, or that someone will target a Linux box, anything that is running a scanner(such as an email server) is vulnerable. Everyone needs to patch on this, not just the Windows guys.
Symantec recommends you immediately patch your software
Or, you can fire your mail admin for allowing executable files to even get to the point where they need to be scanned and get one that knows what they're doing. Your incoming SMTP should be rejecting any e-mail that has one, why bother scanning it? There are ways that were designed for transporting these things, e-mail was not it!
And, remember: when bitching about this, make absolutely sure you're loudly and clearly proclaiming this to be the fault of MS or Symantec. Otherwise, you run the risk of someone actually placing the blame where it really belongs: with the administrator who shouldn't have been affected by this in any way.
Which is more painful? Going to work or gouging your eye out with a spoon? Find out!
http://www.workorspoon.com
I just got off the phone with my symantec rep, and he says any corporate edition anti-virus product 9.0.1.1000 or newer is not affected.
Anyone with a valid license can go to Symantec's fileconnect website and download the newest version.
-ted
Here are some helpful resources on Virus Scanner tests if you can't decide which one to use:
m l? 3 9,pg,5,00.asp
http://www.virusbtn.com/vb100/archives/products.x
http://www.pcworld.com/reviews/article/0,aid,1159
Syamantec pretty much assume that if you are running SAV CE, than you use login scripts to push patches to machines. There is a section in the docs on the various flags to give the MSI for automated mode (eg, how to specify the group server).
(S(SKK)(SKK))(S(SKK)(SKK))
I'm glad I switched from Symantec Corp to McAfee Enterprise a few months ago. While I'm not terribly happy with McAfee(uses lots of CPU when browsing directories with many gigs of files), Symantec really pissed me of when I removed it. I had to spend about an hour removing reg. keys that their uninstaller was too lazy to remove. It couldn't have been that difficult for them to have the installre remove them, but instead they give you a three pages of crap that you must remove from various locations in the registry. That has totally made me rethink using Symantec stuff again.
Every time you post an article on Slashdot, I kill a server. Think of the servers!
Norton Antivirus has been the biggest pile of $hit AV I've ever used. It routinely misses well-known trojans/viruses. I've gotten my system infected twice in the past by simply visiting a page in IE. Norton just shut down and my system got infected. Doing a free scan at housecall.trendmicro.com, Trendmicro was able to detec the virus easily. Norton just kept telling me no virus was found.
Stay far away from Norton. It's worthless.
eTrade SUCKS
After a 30-minute call with Symantec (most of which was being on hold), I found out this information:
Go to http://licensing.symantec.com/. From there, you can select the Product Media link on the bottom of the page and Click to Download. Select your language, and then on the next page, enter your product's serial number. The serial number will probably be either on your product media or on your support certificate. This will take you to a link where you can download the entire product media for Symantec AntiVirus Corporate Edition v9.0.2.1000. Note that this is a 218MB download, so it may take a while, though I'm currently getting about 275KB/sec. I hope this helps everyone out!