Slashdot Mirror
Symantec Antivirus May Execute Virus Code
An anonymous reader writes "Symantec has admitted that a serious vulnerability exists in the way its scanning engine handles Ultimate Packer for Executables. According to a ZDNet article, this means the scanner would execute the malicious program instead of catching it. Tim Hartman, senior technical director for Symantec Asia Pacific, said: "A vulnerability is not a vulnerability till somebody discovers it but because this is now known, somebody could craft an e-mail, mass mailer or a virus that takes advantage of it. It affects our firewalls, antispam, all the retail products and the enterprise products as well"" Symantec recommends you immediately patch your software.
"No updates available for this product."
I've checked several versions, starting with the corporate edition which we use.
I use AVG on all my company systems and can say that in addition to being free, AVG provides the best anti-virus protection around. After F-Prot started losing ground to Windows-based scanners, AVG has done a remarkable job in stepping up to the plate.
AVG, free and worry free. (This was not a paid endorsement)
"A vulnerability is not a vulnerability till somebody discovers it..."
Huh? So if someone inadvertently takes advantage of a vulnerability, it's not really a vulnerability because they didn't explicitly know they were taking advantage of it?
I'll turn into a supernova and burn up everything. Well I'll turn into a black little hole and you'll turn into string.
May I be the first to congratulate our executable overlords!
http://fedora.redhat.com/
No time to waste! Systems may already be infected, so better get offline immediately, review what installed software is at risk and start figuring out a way to get the patches... no, wait, I run linux.
Wonder what's on TV tonight?
Trust the Computer. The Computer is your friend.
if you went in for an STD test and they gave you herpes!
Just another reason to go to free anti-virus software, such as AVG or Avast. I have removed Norton from all my personal computers and replaced them with Avast.
I just wish big corporations would realize that by using Norton/Symantec, that they are using the most targeted [by antivirus-disabling viruses] antivirus software out today.
Come on! A cardboard door is not a vulnerability until someone figures out how to get it wet?!
Like all talking heads the guy didn't think before opening the mouth. The problem is this : you don't know if anyone had previously found this vulnerability. So you can't say it wasn't a vulnerability before *you* found it or before it was reported to *you*. The are unknowable numbers of unknown vulnerabilities and known numbers known vulnerabilities. You cannot know the size of the unknown set -- even if it is in reality the empty set.
From TFA:
A vulnerability is not a vulnerability till somebody discovers it
So that's how security works! Supress knowledge of the problem!
It's nice to see that Symantec's corporate culture hasn't changed very much since the days when Peter Norton thought computer viruses were an urban legend.
You know all those idiotic flamewars that spring up whenever the "irony" tag is used?
Once and for all - THIS is irony. You can shut up now.
"A vulnerability is not a vulnerability till somebody discovers it." This sort of rubbish is a rather amusing reflection of corpthink.
It's rather like saying "A law of Physics isn't a law of Physics until somebody discovers it."
A vulnerability is a vulnerability, period... meaning that something is vulnerable. Whether or not anyone's yet realized it's vulnerable is another story.
If you didn't put a lock on your door, would it "not be unlocked" until someone came by and realized that the door lacked a lock?
Honey, I shrunk the Cygwin
Every time I go at someones house and they have "technical" questions, I walk to the computer to find 80% of the time... McAfee that dates back to 2000-2002 (the other 20% is NAV). No warning that it's not updating anymore or anything. People assume that the icon on the tray is there and they feel safe. I nuke it and install AVG. Work great. Less of a ressource hog (especially comparted to NAV) and oh yeah.. it's FREE as in beer!
I'm actually quite surprised that Symantec posted the notice about this publicly, rather than simply including an update in its next online patch.
br Definately a bad vulnerability, but kudos for being honest about it. I wonder though how liable they are to damages... not good when antivirus software actually ends up trigging the infection.
Everytime I see a machine come into my store with a Symantec or a McAfee product I recommend a better solution. Running AntiVir or AVG on a machine with either product will almost always produce a large list of positives, even if they are spyware related trojans just waiting to be run to download tons of crap. But then I also recommend and will install Firefox (or another mozilla based browser) on anyones machine. Machines with Firefox tend not to come back broken 2 days later.
This doesn't surprise me in the least with the quality I've experienced with their products. After I recommend another solution, everyone seems to say something about it being recommended at Best Buy/CompUSA. And if the worker there thinks it's good, it must be. Wonder if they get a kick back on Symantec products?
rm -rf
....Norton Antivirus/Internet Security is the biggest piece of shit excuse for security software EVAR. It is poorly designed, poorly implemented, always breaks, and the only fix is "please reinstall NIS".
Now they're getting into spyware/adware removal, and Norton will always find stuff, but when trying to deal with it it just gives a 'delete failed' message and that's it. And it will continue to nag you about things it finds.
People who don't know anybetter see these displays in best buy, and believe the hype and go home and install this paranoiaware. If it is NIS it promptly breaks their internet connection and screws up their email client. If they call symantec for help in configuring, symantec will refer them to their ISP.
What a bunch of fucks. Color me mofo, but i'm telling people to uninstall NIS these days (and the funny thing is that complete removal often requires registry hacking). It's more trouble than it is worth. Tech support is bad enough without this crap.
do() || do_not();
#!/bin/sh /`
echo Scanning...
for file in `find
do
sudo $file
if system_still_running
then
echo File $f OK
fi
done
Got this link from Platinum support. UPX Parsing Engine Heap Overflow
It provides a bit more information on the specific builds that are a problem. Affects a great deal of their software.
The support engineer that I spoke with today stated that even though we have gold support you don't get notified for anything except "major . releases".
I had been complaining that I've been trying to get 9.0.3 for a couple of days now and customer support was a runaround and why can't I get updates like I should be.
He then told me that the MR packs are "not available unless you call tech support".
I then spent 15 minutes on the phone to customer service without speaking to anyone and hanging up.
He at least sent me a link to download the latest releases.
Thanks Symantec. I had to pull at your teeth to get you to talk, and only then you just spoke the least necessary. Great service.....:)
If you want to have a secure system you have to use less software, not more. Virus scanner et al are part of the problem, not part of the solution.
"A designer knows he has achieved perfection not when there is nothing left to add, but when there is nothing left to take away." -- Antoine de Saint-Exuperyhttp://www.symantec.com/avcenter/security/Content/ 2005.02.08.html
The gist of it is that there is a heap overflow in a part of the Symantec antivirus engine that they call DEC2EXE. This is a decoder for compressed executable files. The idea is that you have to decompress it to scan the thing, this module does the decompression.
So a carefully crafted EXE file could overflow part of this code and cause arbitrary code execution.
This module isn't just in Norton Antivirus, BTW, it's in a heck of a lot of Symantec Antivirus products. So if you're running any Symantec anti-virus product, not just the home consumer stuff, you might want to head over there and get a patch.
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
It's not like FOSS haven't had their share of local arbitrary code execution exploits before.
Your hair look like poop, Bob! - Wanker.
The linked article states that:
Symantec is distributing patches to its customers through its LiveUpdate automatic update service and other mechanisms. It warned companies that do not use those services to download the patches from its Web site and apply them as soon as possible.
So users with LiveUpdate should use tool to handle updates. BTW, my LiveUpdate didn't install any client patch. yet.
Did Microsoft buy out Norton last week?
Around 1994, the NATAS virus stormed computers all around the world. It was the first polymorphic virus. And it was undetectable with traditional means (didn't alter the exes' CRC).
McAffee released a new (experimental?) version of their antivirus, so that it would clean NATAS. Unfortunately, sometimes if you pressed CTRL-C, part of your programs' code would execute randomly (later, they released a completely different version, which effectively cleaned NATAS and similar viruses, without having such nasty bugs).
Frankly, this execute-to-test-for-viruses was always a bad idea. I don't know why Symantec fell into that. Unless of course, it's more like a buffer overflow, which is understandable.
Sorry... http://www.symantec.com/avcenter/security/Content/ 2005.02.08.html
So as unlikely as it is that many Linux users are using a Symantec product, or that someone will target a Linux box, anything that is running a scanner(such as an email server) is vulnerable. Everyone needs to patch on this, not just the Windows guys.
Symantec recommends you immediately patch your software
Or, you can fire your mail admin for allowing executable files to even get to the point where they need to be scanned and get one that knows what they're doing. Your incoming SMTP should be rejecting any e-mail that has one, why bother scanning it? There are ways that were designed for transporting these things, e-mail was not it!
And, remember: when bitching about this, make absolutely sure you're loudly and clearly proclaiming this to be the fault of MS or Symantec. Otherwise, you run the risk of someone actually placing the blame where it really belongs: with the administrator who shouldn't have been affected by this in any way.
Which is more painful? Going to work or gouging your eye out with a spoon? Find out!
http://www.workorspoon.com
Tim Hartman, senior technical director for Symantec Asia Pacific, said:
"A vulnerability is not a vulnerability till somebody discovers it...
Impressive foresight. Another great security through obscurity business model.
No tiny Tim, if your tire can be flattened, it will be. It's that simple.
I just got off the phone with my symantec rep, and he says any corporate edition anti-virus product 9.0.1.1000 or newer is not affected.
Anyone with a valid license can go to Symantec's fileconnect website and download the newest version.
-ted
BTW, HP's entire corporate network rests in the hands of Norton AntiVirus Corporate Edition. I can recall several mornings of cleaning up the Blaster virus at the DataCenter then being insulted and abused when I couldn't clean up a new variant for which we had no documentation. They've made it the corporate standard along with Mozilla, however, failed to announce Mozilla to their employees - so, the majority of them still use unsecured Internet Explorer browsers because their IT department doesn't recognize the potential exploits for the browser. They keep an old image file of a preconfigured OS build per system model and image the systems through Altiris' Carbon Copy. I knew Carly was cutting corners/costs, but I didn't think she'd be so gung-ho about exporting her own position! >:-D
-- Game Developers: Stop porting badly-textured games from crappy console systems!
Here are some helpful resources on Virus Scanner tests if you can't decide which one to use:
m l? 3 9,pg,5,00.asp
http://www.virusbtn.com/vb100/archives/products.x
http://www.pcworld.com/reviews/article/0,aid,1159
Syamantec pretty much assume that if you are running SAV CE, than you use login scripts to push patches to machines. There is a section in the docs on the various flags to give the MSI for automated mode (eg, how to specify the group server).
(S(SKK)(SKK))(S(SKK)(SKK))
Symantec Antivirus May Execute Virus Code
I don't care if Symantec runs virus code, just as long as windows doesn't.
Coder's Stone: The programming language quick ref for iPad
I'm glad I switched from Symantec Corp to McAfee Enterprise a few months ago. While I'm not terribly happy with McAfee(uses lots of CPU when browsing directories with many gigs of files), Symantec really pissed me of when I removed it. I had to spend about an hour removing reg. keys that their uninstaller was too lazy to remove. It couldn't have been that difficult for them to have the installre remove them, but instead they give you a three pages of crap that you must remove from various locations in the registry. That has totally made me rethink using Symantec stuff again.
Every time you post an article on Slashdot, I kill a server. Think of the servers!
Norton Antivirus has been the biggest pile of $hit AV I've ever used. It routinely misses well-known trojans/viruses. I've gotten my system infected twice in the past by simply visiting a page in IE. Norton just shut down and my system got infected. Doing a free scan at housecall.trendmicro.com, Trendmicro was able to detec the virus easily. Norton just kept telling me no virus was found.
Stay far away from Norton. It's worthless.
eTrade SUCKS
A couple of days back they rated a hack that could theoretically forge you root access to a Mac OS X box if you (a) already had an account and (b) had physical access to the machine as 6.9/10.
Now we discover (really not surprisingly) that they themselves are a vector.