Symantec Antivirus May Execute Virus Code

An anonymous reader writes "Symantec has admitted that a serious vulnerability exists in the way its scanning engine handles Ultimate Packer for Executables. According to a ZDNet article, this means the scanner would execute the malicious program instead of catching it. Tim Hartman, senior technical director for Symantec Asia Pacific, said: "A vulnerability is not a vulnerability till somebody discovers it but because this is now known, somebody could craft an e-mail, mass mailer or a virus that takes advantage of it. It affects our firewalls, antispam, all the retail products and the enterprise products as well"" Symantec recommends you immediately patch your software.

huh?

[justforaday]

"A vulnerability is not a vulnerability till somebody discovers it..."

Huh? So if someone inadvertently takes advantage of a vulnerability, it's not really a vulnerability because they didn't explicitly know they were taking advantage of it?

Re:huh?

[drinkypoo]

Yeah, I don't even have to RTFA to know that this guy is a complete idiot. Anyone who is willing to say that has his head so far up his ass that he can look out of his own nostrils. If there's a weakness in, say, the breastplate of a suit of armor, it's a vulnerability. If you get hit there, you are more likely to die. It doesn't matter if someone knows about it or not. Granted there is a serious problem with that metaphor in that you typically don't exploit problems by accident, but it seems highly likely to me that someone actually IS exploiting it out there, and that's why they discovered the hole in the first place. Symantec is not exactly known for having the highest-quality virus scan tool out there, although I do like their corporate version. Still, their software is full of bugs and inconsistencies (some places ^A works, some places it doesn't, for example) and it has been always thus.

Re:huh?

[gryfen]

Of course! It's the standard corporate PR stance regarding vulnerabilities:
The User of Our Software May Feel Secure, because:
(1) Any bugs which may or may not hypothetically exist in our software do not *actually* exist until someone publicly blows the whistle (refer to the cat in the box)
(2) The whistleblower is actually the one to blame for the insecurity existing, not our poor coding and software testing standards.
(3) Ignore the [H,Cr]acker Behind the Curtain who may or may not have discovered the hypothetical security hole in our software and decided to keep the info to his/her self. Their existence, real or not, does not actually threaten your security while using our software.

a minor flaw in his logic

Like all talking heads the guy didn't think before opening the mouth. The problem is this : you don't know if anyone had previously found this vulnerability. So you can't say it wasn't a vulnerability before *you* found it or before it was reported to *you*. The are unknowable numbers of unknown vulnerabilities and known numbers known vulnerabilities. You cannot know the size of the unknown set -- even if it is in reality the empty set.

Sheer brilliance

[stinky+wizzleteats]

From TFA:

A vulnerability is not a vulnerability till somebody discovers it

So that's how security works! Supress knowledge of the problem!

It's nice to see that Symantec's corporate culture hasn't changed very much since the days when Peter Norton thought computer viruses were an urban legend.

A vulnerability is always a vulnerability.

[JessLeah]

"A vulnerability is not a vulnerability till somebody discovers it." This sort of rubbish is a rather amusing reflection of corpthink.

It's rather like saying "A law of Physics isn't a law of Physics until somebody discovers it."

A vulnerability is a vulnerability, period... meaning that something is vulnerable. Whether or not anyone's yet realized it's vulnerable is another story.

If you didn't put a lock on your door, would it "not be unlocked" until someone came by and realized that the door lacked a lock?

Re:Immediate patch...

[1u3hr]

but there are people at my company who can barely use windows and you want a company to switch to a much less user friendly environment? The time to retrain people would be horrendous and not to mention training them on completely new software. Changing OS for individuals is not viable for most companies. PERIOD

The ones who "can barely use windows" will complain that the start menu is in a different place and their screensaver won't work, otherwise they won't notice what they're using to type their memos, add up their expenses, or surf their porn. It's the "power users" who've wriiten macros and such who are the difficult ones. Budget for buying Crossover for them while you gradually wean them off.

I worked in an office that due to absorbing other small companies, had CP/M, DOS, Win 3, Win 98, MacOS 7, MacOS 8, all in use, and the staff were mostly clueless; but instead of throwing a fit were mostly willing to spend the few minutes needed to locate the icons to open a word processor. print, email... and that covers 95% of what they needed. It's strange to me that it's assumed that office workers are complete sheep who will be thrown into a panic by the slightest change in their desktop; forgetting that anyone who's worked for 15 years has probably gone through DOS, Win 3/95/98/2K/XP, not to mention Wordstar/WordPerfect/Word5/6/WinWord; Lotus 123/Excel, etc, etc.

Why should one more round of change be so hard, especially with most of the change actually being behind the scenes rather than in the interface -- "open file", "select (with mouse)" "change font", "print" are all the same except for minor cosmetic differences as far as the user is concerned, whatever platform and suite you're using.