Slashdot Mirror

← Back to Stories (view on slashdot.org)

Symantec Antivirus May Execute Virus Code

Posted by Zonk on from the antivirus-not-so-anti dept.

An anonymous reader writes "Symantec has admitted that a serious vulnerability exists in the way its scanning engine handles Ultimate Packer for Executables. According to a ZDNet article, this means the scanner would execute the malicious program instead of catching it. Tim Hartman, senior technical director for Symantec Asia Pacific, said: "A vulnerability is not a vulnerability till somebody discovers it but because this is now known, somebody could craft an e-mail, mass mailer or a virus that takes advantage of it. It affects our firewalls, antispam, all the retail products and the enterprise products as well"" Symantec recommends you immediately patch your software.

39 of 388 comments (clear)

  1. Immediately patch? Really? by dtfinch · · Score: 5, Informative

    "No updates available for this product."

    I've checked several versions, starting with the corporate edition which we use.

    1. Re:Immediately patch? Really? by mrighi · · Score: 5, Funny

      That's because they gave out the wrong link. What they really meant to say was, "Symantec recommends you immediately patch your software."

    2. Re:Immediately patch? Really? by Anonymous Coward · · Score: 3, Informative

      RTFA, If you are using LiveUpdate, it already installed it.

    3. Re:Immediately patch? Really? by Anonymous Coward · · Score: 5, Informative

      Symantec has known about this, and they've been rolling out patches in the latest builds and maintenance releases for a little while. If you've been running liveupdate and no updates are available, you're good to go. The list of vulnerable and nonvulnerable builds is available on the Symantec advisory.

    4. Re:Immediately patch? Really? by Sethb · · Score: 5, Informative

      If you're running Corporate Edition, you won't be getting the patch via LiveUpdate. You need to call their tech support line with your serial number or contact/contract number, and they'll give you the information (FTP site and password) for obtaining the 9.0 MR3 update for SAV Corporate Edition. This updates the software to version 9.0.3.1000

      Some of the earlier Maintenance Releases aren't vulnerable either, but MR3 is the newest. If you're still on vanilla 9.0.0.338, you need to update ASAP, the same applies if you're on the update revision that made SAV CE work with the Windows SP2 Security Control Panel, version 9.0.0.1400.

      Since it's "Corporate Edition", Symantec assumes that you're managing these desktops and wants to control when you push patches to them, so now you get to do just that. :) The good news is that you can use the remote client installer to just lay the new version over the old one via the network (or push a new .msi file via Group Policy, or run the update in a login script). Make sure you upgrade your servers before doing the clients, Symantec (or at least the rep I talked to) suggests completely removing the server (via add/remove programs) and installing the new version, not merely doing an upate.

      --
      When in danger or in doubt, run in circles, scream and shout. --Robert A. Heinlein
    5. Re:Immediately patch? Really? by sigaar · · Score: 4, Interesting

      Would it matter? Symantec's antivirus products are getting shittier by the day. I've lost count of the times that I go to a first time client who's complaining their computer is behaving "funny."

      I sit down in front of the computer, and I can see it's infected with something. The signs are the, writing is on the wall. But norton/symantec enterprise, updated and all, is telling me it's clean. So I download McCaffee Stinger or BitDefender's free scanner, clean the Machine out, and sell something better to them.

      Case in point. I have a client who's ISP is running Symantec antivirus gateway on the ISP side. Behind that gateway, I've got a postfix box with amavis-new and clam, h+bedv and bitdefender scanners. You won't believe the amount of virusses I still catch, stuff that make it through symantec's waste_of_cpu_cycles_software.

      Symantec was the good stuff back in the good old DOS days. Now they're baking in their former glory, but they're loosing business and I'm happy so see them burn if they don't get off their butts and start improving their software.

      --
      sigaar
    6. Re:Immediately patch? Really? by davez0r · · Score: 3, Informative

      here is the list

      http://www.sarc.com/avcenter/security/Content/2005 .02.08.html

    7. Re:Immediately patch? Really? by andynms · · Score: 4, Informative

      For reference, the download site for corporate users is https://fileconnect.symantec.com/licenselogin.jsp. You need to log in with your corporate serial number.

  2. Better than just free by Dancin_Santa · · Score: 5, Informative

    I use AVG on all my company systems and can say that in addition to being free, AVG provides the best anti-virus protection around. After F-Prot started losing ground to Windows-based scanners, AVG has done a remarkable job in stepping up to the plate.

    AVG, free and worry free. (This was not a paid endorsement)

    1. Re:Better than just free by Zlib+pt · · Score: 5, Informative

      "I use AVG on all my company systems and can say that in addition to being free"

      On http://free.grisoft.com/freeweb.php/doc/2/

      "Use of AVG Free Edition within any organization or for commercial purposes is strictly prohibited."

    2. Re:Better than just free by Dot.Com.CEO · · Score: 4, Informative

      I hate to break this to you but avg is NOT free in a commercial environment.

      --
      Mother is the best bet and don't let Satan draw you too fast.
    3. Re:Better than just free by lucabrasi999 · · Score: 4, Funny
      "Use of AVG Free Edition within any organization or for commercial purposes is strictly prohibited."

      I guess Santa isn't Dancing anymore.

    4. Re:Better than just free by Rick+Zeman · · Score: 5, Funny

      As long as it's not company policy ie. each employee that uses it is installing it for personal use, it's free.

      I worked for a company that refused to pay for AV, and we all had it on our desktops, except the managers.

      So what part of "home" did you all deliberately misunderstand?

  3. huh? by justforaday · · Score: 5, Insightful

    "A vulnerability is not a vulnerability till somebody discovers it..."

    Huh? So if someone inadvertently takes advantage of a vulnerability, it's not really a vulnerability because they didn't explicitly know they were taking advantage of it?

    --
    I'll turn into a supernova and burn up everything. Well I'll turn into a black little hole and you'll turn into string.
    1. Re:huh? by pegasustonans · · Score: 4, Funny

      No, you've got it all wrong. The person didn't actually exist, and all of the people who thought about the person existing didn't exist either. And all of the people who thought the person might or might not exist, but probably didn't, and should therefore be disregarded, were very clever and were hired by anti-virus companies to do their PR for them.

      --
      And all our yesterdays have lighted fools The way to dusty death. --Will
    2. Re:huh? by LourensV · · Score: 3, Funny

      I think he is a quantum physicist...

    3. Re:huh? by drinkypoo · · Score: 3, Insightful

      Yeah, I don't even have to RTFA to know that this guy is a complete idiot. Anyone who is willing to say that has his head so far up his ass that he can look out of his own nostrils. If there's a weakness in, say, the breastplate of a suit of armor, it's a vulnerability. If you get hit there, you are more likely to die. It doesn't matter if someone knows about it or not. Granted there is a serious problem with that metaphor in that you typically don't exploit problems by accident, but it seems highly likely to me that someone actually IS exploiting it out there, and that's why they discovered the hole in the first place. Symantec is not exactly known for having the highest-quality virus scan tool out there, although I do like their corporate version. Still, their software is full of bugs and inconsistencies (some places ^A works, some places it doesn't, for example) and it has been always thus.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    4. Re:huh? by cronius · · Score: 3, Interesting

      I second that. What an incredibly stupid statement. Like as if they are the ones deciding what is known and what isn't, like as if they must know more than anyone, so if *they* don't know, nobody does.

      I mean, why do viruses exist in the first place? Is it because they exploit open, known vulnerabilities? Or is it because crackers *find* vulnerabilites to exploit?

      Talk about stupid.

      --
      Life is Reality
    5. Re:huh? by worst_name_ever · · Score: 4, Funny

      You must not have gotten the latest memo from Symantec: "We apologise again for the fault in the antivirus software. Those responsible for sacking the people who have just been sacked, have been sacked."

      --

      In Soviet Rush, today's Tom Sawyer gets high on you.
    6. Re:huh? by gryfen · · Score: 3, Insightful

      Of course! It's the standard corporate PR stance regarding vulnerabilities:
      The User of Our Software May Feel Secure, because:
      (1) Any bugs which may or may not hypothetically exist in our software do not *actually* exist until someone publicly blows the whistle (refer to the cat in the box)
      (2) The whistleblower is actually the one to blame for the insecurity existing, not our poor coding and software testing standards.
      (3) Ignore the [H,Cr]acker Behind the Curtain who may or may not have discovered the hypothetical security hole in our software and decided to keep the info to his/her self. Their existence, real or not, does not actually threaten your security while using our software.

  4. Damn! by JanneM · · Score: 3, Funny

    No time to waste! Systems may already be infected, so better get offline immediately, review what installed software is at risk and start figuring out a way to get the patches... no, wait, I run linux.

    Wonder what's on TV tonight?

    --
    Trust the Computer. The Computer is your friend.
    1. Re: Damn! by Black+Parrot · · Score: 3, Funny


      > no, wait, I run linux. Wonder what's on TV tonight?

      Switch to Gentoo and you'll have something to do tonight.


      --
      Sheesh, evil *and* a jerk. -- Jade
  5. a minor flaw in his logic by Anonymous Coward · · Score: 3, Insightful

    Like all talking heads the guy didn't think before opening the mouth. The problem is this : you don't know if anyone had previously found this vulnerability. So you can't say it wasn't a vulnerability before *you* found it or before it was reported to *you*. The are unknowable numbers of unknown vulnerabilities and known numbers known vulnerabilities. You cannot know the size of the unknown set -- even if it is in reality the empty set.

  6. Sheer brilliance by stinky+wizzleteats · · Score: 5, Insightful

    From TFA:

    A vulnerability is not a vulnerability till somebody discovers it

    So that's how security works! Supress knowledge of the problem!

    It's nice to see that Symantec's corporate culture hasn't changed very much since the days when Peter Norton thought computer viruses were an urban legend.

  7. Okay, Farkers... by Mmm+coffee · · Score: 5, Funny

    You know all those idiotic flamewars that spring up whenever the "irony" tag is used?

    Once and for all - THIS is irony. You can shut up now.

    1. Re:Okay, Farkers... by c4miles · · Score: 3, Funny

      What, addressing an entire community of /.ers as Farkers whilst making a point about irony?

      Yes. This is irony.

  8. A vulnerability is always a vulnerability. by JessLeah · · Score: 5, Insightful

    "A vulnerability is not a vulnerability till somebody discovers it." This sort of rubbish is a rather amusing reflection of corpthink.

    It's rather like saying "A law of Physics isn't a law of Physics until somebody discovers it."

    A vulnerability is a vulnerability, period... meaning that something is vulnerable. Whether or not anyone's yet realized it's vulnerable is another story.

    If you didn't put a lock on your door, would it "not be unlocked" until someone came by and realized that the door lacked a lock?

    --
    Honey, I shrunk the Cygwin
  9. Surprisingly honest by phorm · · Score: 5, Interesting

    I'm actually quite surprised that Symantec posted the notice about this publicly, rather than simply including an update in its next online patch.
    br Definately a bad vulnerability, but kudos for being honest about it. I wonder though how liable they are to damages... not good when antivirus software actually ends up trigging the infection.

  10. Re:Immediate patch... by russint · · Score: 3, Funny

    Thanks. Now, can you explain how my company is to quikly move all of thousands of employees and all of our internal Windows-based applications to redhat in the next 24 hours?

    Amphetamine.

    --
    ^^
  11. Actual Vulnerability Link by Talian · · Score: 4, Informative

    Got this link from Platinum support. UPX Parsing Engine Heap Overflow

    It provides a bit more information on the specific builds that are a problem. Affects a great deal of their software.

  12. More details here... by Otto · · Score: 5, Informative

    http://www.symantec.com/avcenter/security/Content/ 2005.02.08.html

    The gist of it is that there is a heap overflow in a part of the Symantec antivirus engine that they call DEC2EXE. This is a decoder for compressed executable files. The idea is that you have to decompress it to scan the thing, this module does the decompression.

    So a carefully crafted EXE file could overflow part of this code and cause arbitrary code execution.

    This module isn't just in Norton Antivirus, BTW, it's in a heck of a lot of Symantec Antivirus products. So if you're running any Symantec anti-virus product, not just the home consumer stuff, you might want to head over there and get a patch.

    --
    - Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
  13. Re:Yet another reason by Pionar · · Score: 4, Interesting

    Yada yada yada.

    Well, because AVG and Avast are free, they're less vulnerable, right?

    Bullshit.

    I like the hypocrisy of people criticizing Symantec's guy for touting security through obscurity, then turning around and preaching it themselves.

    And I'd like to see how these things work in a corporate environment. Oh, wait. They don't.

    Symantec has excellent corporate support and management features.

  14. Deja vu... by Spy+der+Mann · · Score: 3, Informative

    Around 1994, the NATAS virus stormed computers all around the world. It was the first polymorphic virus. And it was undetectable with traditional means (didn't alter the exes' CRC).

    McAffee released a new (experimental?) version of their antivirus, so that it would clean NATAS. Unfortunately, sometimes if you pressed CTRL-C, part of your programs' code would execute randomly (later, they released a completely different version, which effectively cleaned NATAS and similar viruses, without having such nasty bugs).

    Frankly, this execute-to-test-for-viruses was always a bad idea. I don't know why Symantec fell into that. Unless of course, it's more like a buffer overflow, which is understandable.

  15. Re:Yet another reason by kyojin+the+clown · · Score: 3, Funny
    Symantec has excellent corporate support and management features

    True.

    If only it had excellent anti-virus features to go with them.

  16. Re:Immediate patch... by Mant · · Score: 3, Interesting

    If you would RTFA:

    Computers are at risk if they run an unpatched version of a Symantec product that scans files to detect malicious code and if they use the Microsoft Windows, Mac OS X, Linux, Solaris and AIX operating systems, Symantec said.

    This isn't an OS problem, this is an application problem.

    Of course hackers are less likely to write something that runs on a non-Windows OS, but the flaw isn't fixed by moving from Windows.

  17. Or... by The+Spoonman · · Score: 3, Informative

    Symantec recommends you immediately patch your software

    Or, you can fire your mail admin for allowing executable files to even get to the point where they need to be scanned and get one that knows what they're doing. Your incoming SMTP should be rejecting any e-mail that has one, why bother scanning it? There are ways that were designed for transporting these things, e-mail was not it!

    And, remember: when bitching about this, make absolutely sure you're loudly and clearly proclaiming this to be the fault of MS or Symantec. Otherwise, you run the risk of someone actually placing the blame where it really belongs: with the administrator who shouldn't have been affected by this in any way.

    --
    Which is more painful? Going to work or gouging your eye out with a spoon? Find out!
    http://www.workorspoon.com
  18. Re:Immediate patch... by 1u3hr · · Score: 4, Insightful
    but there are people at my company who can barely use windows and you want a company to switch to a much less user friendly environment? The time to retrain people would be horrendous and not to mention training them on completely new software. Changing OS for individuals is not viable for most companies. PERIOD

    The ones who "can barely use windows" will complain that the start menu is in a different place and their screensaver won't work, otherwise they won't notice what they're using to type their memos, add up their expenses, or surf their porn. It's the "power users" who've wriiten macros and such who are the difficult ones. Budget for buying Crossover for them while you gradually wean them off.

    I worked in an office that due to absorbing other small companies, had CP/M, DOS, Win 3, Win 98, MacOS 7, MacOS 8, all in use, and the staff were mostly clueless; but instead of throwing a fit were mostly willing to spend the few minutes needed to locate the icons to open a word processor. print, email... and that covers 95% of what they needed. It's strange to me that it's assumed that office workers are complete sheep who will be thrown into a panic by the slightest change in their desktop; forgetting that anyone who's worked for 15 years has probably gone through DOS, Win 3/95/98/2K/XP, not to mention Wordstar/WordPerfect/Word5/6/WinWord; Lotus 123/Excel, etc, etc.

    Why should one more round of change be so hard, especially with most of the change actually being behind the scenes rather than in the interface -- "open file", "select (with mouse)" "change font", "print" are all the same except for minor cosmetic differences as far as the user is concerned, whatever platform and suite you're using.

  19. Affected corporate edition versions by zerofoo · · Score: 4, Informative

    I just got off the phone with my symantec rep, and he says any corporate edition anti-virus product 9.0.1.1000 or newer is not affected.

    Anyone with a valid license can go to Symantec's fileconnect website and download the newest version.

    -ted

  20. Helpful Articles On Virus Scanner Selection by jmole · · Score: 3, Informative

    Here are some helpful resources on Virus Scanner tests if you can't decide which one to use:

    http://www.virusbtn.com/vb100/archives/products.xm l?
    http://www.pcworld.com/reviews/article/0,aid,11593 9,pg,5,00.asp