Slashdot Mirror

← Back to Stories (view on slashdot.org)

Symantec Antivirus May Execute Virus Code

Posted by Zonk on from the antivirus-not-so-anti dept.

An anonymous reader writes "Symantec has admitted that a serious vulnerability exists in the way its scanning engine handles Ultimate Packer for Executables. According to a ZDNet article, this means the scanner would execute the malicious program instead of catching it. Tim Hartman, senior technical director for Symantec Asia Pacific, said: "A vulnerability is not a vulnerability till somebody discovers it but because this is now known, somebody could craft an e-mail, mass mailer or a virus that takes advantage of it. It affects our firewalls, antispam, all the retail products and the enterprise products as well"" Symantec recommends you immediately patch your software.

15 of 388 comments (clear)

  1. Immediately patch? Really? by dtfinch · · Score: 5, Informative

    "No updates available for this product."

    I've checked several versions, starting with the corporate edition which we use.

    1. Re:Immediately patch? Really? by Anonymous Coward · · Score: 3, Informative

      RTFA, If you are using LiveUpdate, it already installed it.

    2. Re:Immediately patch? Really? by Anonymous Coward · · Score: 5, Informative

      Symantec has known about this, and they've been rolling out patches in the latest builds and maintenance releases for a little while. If you've been running liveupdate and no updates are available, you're good to go. The list of vulnerable and nonvulnerable builds is available on the Symantec advisory.

    3. Re:Immediately patch? Really? by Sethb · · Score: 5, Informative

      If you're running Corporate Edition, you won't be getting the patch via LiveUpdate. You need to call their tech support line with your serial number or contact/contract number, and they'll give you the information (FTP site and password) for obtaining the 9.0 MR3 update for SAV Corporate Edition. This updates the software to version 9.0.3.1000

      Some of the earlier Maintenance Releases aren't vulnerable either, but MR3 is the newest. If you're still on vanilla 9.0.0.338, you need to update ASAP, the same applies if you're on the update revision that made SAV CE work with the Windows SP2 Security Control Panel, version 9.0.0.1400.

      Since it's "Corporate Edition", Symantec assumes that you're managing these desktops and wants to control when you push patches to them, so now you get to do just that. :) The good news is that you can use the remote client installer to just lay the new version over the old one via the network (or push a new .msi file via Group Policy, or run the update in a login script). Make sure you upgrade your servers before doing the clients, Symantec (or at least the rep I talked to) suggests completely removing the server (via add/remove programs) and installing the new version, not merely doing an upate.

      --
      When in danger or in doubt, run in circles, scream and shout. --Robert A. Heinlein
    4. Re:Immediately patch? Really? by davez0r · · Score: 3, Informative

      here is the list

      http://www.sarc.com/avcenter/security/Content/2005 .02.08.html

    5. Re:Immediately patch? Really? by andynms · · Score: 4, Informative

      For reference, the download site for corporate users is https://fileconnect.symantec.com/licenselogin.jsp. You need to log in with your corporate serial number.

  2. Better than just free by Dancin_Santa · · Score: 5, Informative

    I use AVG on all my company systems and can say that in addition to being free, AVG provides the best anti-virus protection around. After F-Prot started losing ground to Windows-based scanners, AVG has done a remarkable job in stepping up to the plate.

    AVG, free and worry free. (This was not a paid endorsement)

    1. Re:Better than just free by Zlib+pt · · Score: 5, Informative

      "I use AVG on all my company systems and can say that in addition to being free"

      On http://free.grisoft.com/freeweb.php/doc/2/

      "Use of AVG Free Edition within any organization or for commercial purposes is strictly prohibited."

    2. Re:Better than just free by Dot.Com.CEO · · Score: 4, Informative

      I hate to break this to you but avg is NOT free in a commercial environment.

      --
      Mother is the best bet and don't let Satan draw you too fast.
  3. Actual Vulnerability Link by Talian · · Score: 4, Informative

    Got this link from Platinum support. UPX Parsing Engine Heap Overflow

    It provides a bit more information on the specific builds that are a problem. Affects a great deal of their software.

  4. More details here... by Otto · · Score: 5, Informative

    http://www.symantec.com/avcenter/security/Content/ 2005.02.08.html

    The gist of it is that there is a heap overflow in a part of the Symantec antivirus engine that they call DEC2EXE. This is a decoder for compressed executable files. The idea is that you have to decompress it to scan the thing, this module does the decompression.

    So a carefully crafted EXE file could overflow part of this code and cause arbitrary code execution.

    This module isn't just in Norton Antivirus, BTW, it's in a heck of a lot of Symantec Antivirus products. So if you're running any Symantec anti-virus product, not just the home consumer stuff, you might want to head over there and get a patch.

    --
    - Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
  5. Deja vu... by Spy+der+Mann · · Score: 3, Informative

    Around 1994, the NATAS virus stormed computers all around the world. It was the first polymorphic virus. And it was undetectable with traditional means (didn't alter the exes' CRC).

    McAffee released a new (experimental?) version of their antivirus, so that it would clean NATAS. Unfortunately, sometimes if you pressed CTRL-C, part of your programs' code would execute randomly (later, they released a completely different version, which effectively cleaned NATAS and similar viruses, without having such nasty bugs).

    Frankly, this execute-to-test-for-viruses was always a bad idea. I don't know why Symantec fell into that. Unless of course, it's more like a buffer overflow, which is understandable.

  6. Or... by The+Spoonman · · Score: 3, Informative

    Symantec recommends you immediately patch your software

    Or, you can fire your mail admin for allowing executable files to even get to the point where they need to be scanned and get one that knows what they're doing. Your incoming SMTP should be rejecting any e-mail that has one, why bother scanning it? There are ways that were designed for transporting these things, e-mail was not it!

    And, remember: when bitching about this, make absolutely sure you're loudly and clearly proclaiming this to be the fault of MS or Symantec. Otherwise, you run the risk of someone actually placing the blame where it really belongs: with the administrator who shouldn't have been affected by this in any way.

    --
    Which is more painful? Going to work or gouging your eye out with a spoon? Find out!
    http://www.workorspoon.com
  7. Affected corporate edition versions by zerofoo · · Score: 4, Informative

    I just got off the phone with my symantec rep, and he says any corporate edition anti-virus product 9.0.1.1000 or newer is not affected.

    Anyone with a valid license can go to Symantec's fileconnect website and download the newest version.

    -ted

  8. Helpful Articles On Virus Scanner Selection by jmole · · Score: 3, Informative

    Here are some helpful resources on Virus Scanner tests if you can't decide which one to use:

    http://www.virusbtn.com/vb100/archives/products.xm l?
    http://www.pcworld.com/reviews/article/0,aid,11593 9,pg,5,00.asp