Slashdot Mirror

← Back to Stories (view on slashdot.org)

Symantec Antivirus May Execute Virus Code

Posted by Zonk on from the antivirus-not-so-anti dept.

An anonymous reader writes "Symantec has admitted that a serious vulnerability exists in the way its scanning engine handles Ultimate Packer for Executables. According to a ZDNet article, this means the scanner would execute the malicious program instead of catching it. Tim Hartman, senior technical director for Symantec Asia Pacific, said: "A vulnerability is not a vulnerability till somebody discovers it but because this is now known, somebody could craft an e-mail, mass mailer or a virus that takes advantage of it. It affects our firewalls, antispam, all the retail products and the enterprise products as well"" Symantec recommends you immediately patch your software.

23 of 388 comments (clear)

  1. Immediately patch? Really? by dtfinch · · Score: 5, Informative

    "No updates available for this product."

    I've checked several versions, starting with the corporate edition which we use.

    1. Re:Immediately patch? Really? by mrighi · · Score: 5, Funny

      That's because they gave out the wrong link. What they really meant to say was, "Symantec recommends you immediately patch your software."

    2. Re:Immediately patch? Really? by Anonymous Coward · · Score: 5, Informative

      Symantec has known about this, and they've been rolling out patches in the latest builds and maintenance releases for a little while. If you've been running liveupdate and no updates are available, you're good to go. The list of vulnerable and nonvulnerable builds is available on the Symantec advisory.

    3. Re:Immediately patch? Really? by Sethb · · Score: 5, Informative

      If you're running Corporate Edition, you won't be getting the patch via LiveUpdate. You need to call their tech support line with your serial number or contact/contract number, and they'll give you the information (FTP site and password) for obtaining the 9.0 MR3 update for SAV Corporate Edition. This updates the software to version 9.0.3.1000

      Some of the earlier Maintenance Releases aren't vulnerable either, but MR3 is the newest. If you're still on vanilla 9.0.0.338, you need to update ASAP, the same applies if you're on the update revision that made SAV CE work with the Windows SP2 Security Control Panel, version 9.0.0.1400.

      Since it's "Corporate Edition", Symantec assumes that you're managing these desktops and wants to control when you push patches to them, so now you get to do just that. :) The good news is that you can use the remote client installer to just lay the new version over the old one via the network (or push a new .msi file via Group Policy, or run the update in a login script). Make sure you upgrade your servers before doing the clients, Symantec (or at least the rep I talked to) suggests completely removing the server (via add/remove programs) and installing the new version, not merely doing an upate.

      --
      When in danger or in doubt, run in circles, scream and shout. --Robert A. Heinlein
    4. Re:Immediately patch? Really? by sigaar · · Score: 4, Interesting

      Would it matter? Symantec's antivirus products are getting shittier by the day. I've lost count of the times that I go to a first time client who's complaining their computer is behaving "funny."

      I sit down in front of the computer, and I can see it's infected with something. The signs are the, writing is on the wall. But norton/symantec enterprise, updated and all, is telling me it's clean. So I download McCaffee Stinger or BitDefender's free scanner, clean the Machine out, and sell something better to them.

      Case in point. I have a client who's ISP is running Symantec antivirus gateway on the ISP side. Behind that gateway, I've got a postfix box with amavis-new and clam, h+bedv and bitdefender scanners. You won't believe the amount of virusses I still catch, stuff that make it through symantec's waste_of_cpu_cycles_software.

      Symantec was the good stuff back in the good old DOS days. Now they're baking in their former glory, but they're loosing business and I'm happy so see them burn if they don't get off their butts and start improving their software.

      --
      sigaar
    5. Re:Immediately patch? Really? by andynms · · Score: 4, Informative

      For reference, the download site for corporate users is https://fileconnect.symantec.com/licenselogin.jsp. You need to log in with your corporate serial number.

  2. Better than just free by Dancin_Santa · · Score: 5, Informative

    I use AVG on all my company systems and can say that in addition to being free, AVG provides the best anti-virus protection around. After F-Prot started losing ground to Windows-based scanners, AVG has done a remarkable job in stepping up to the plate.

    AVG, free and worry free. (This was not a paid endorsement)

    1. Re:Better than just free by Zlib+pt · · Score: 5, Informative

      "I use AVG on all my company systems and can say that in addition to being free"

      On http://free.grisoft.com/freeweb.php/doc/2/

      "Use of AVG Free Edition within any organization or for commercial purposes is strictly prohibited."

    2. Re:Better than just free by Dot.Com.CEO · · Score: 4, Informative

      I hate to break this to you but avg is NOT free in a commercial environment.

      --
      Mother is the best bet and don't let Satan draw you too fast.
    3. Re:Better than just free by lucabrasi999 · · Score: 4, Funny
      "Use of AVG Free Edition within any organization or for commercial purposes is strictly prohibited."

      I guess Santa isn't Dancing anymore.

    4. Re:Better than just free by Rick+Zeman · · Score: 5, Funny

      As long as it's not company policy ie. each employee that uses it is installing it for personal use, it's free.

      I worked for a company that refused to pay for AV, and we all had it on our desktops, except the managers.

      So what part of "home" did you all deliberately misunderstand?

  3. huh? by justforaday · · Score: 5, Insightful

    "A vulnerability is not a vulnerability till somebody discovers it..."

    Huh? So if someone inadvertently takes advantage of a vulnerability, it's not really a vulnerability because they didn't explicitly know they were taking advantage of it?

    --
    I'll turn into a supernova and burn up everything. Well I'll turn into a black little hole and you'll turn into string.
    1. Re:huh? by pegasustonans · · Score: 4, Funny

      No, you've got it all wrong. The person didn't actually exist, and all of the people who thought about the person existing didn't exist either. And all of the people who thought the person might or might not exist, but probably didn't, and should therefore be disregarded, were very clever and were hired by anti-virus companies to do their PR for them.

      --
      And all our yesterdays have lighted fools The way to dusty death. --Will
    2. Re:huh? by worst_name_ever · · Score: 4, Funny

      You must not have gotten the latest memo from Symantec: "We apologise again for the fault in the antivirus software. Those responsible for sacking the people who have just been sacked, have been sacked."

      --

      In Soviet Rush, today's Tom Sawyer gets high on you.
  4. Sheer brilliance by stinky+wizzleteats · · Score: 5, Insightful

    From TFA:

    A vulnerability is not a vulnerability till somebody discovers it

    So that's how security works! Supress knowledge of the problem!

    It's nice to see that Symantec's corporate culture hasn't changed very much since the days when Peter Norton thought computer viruses were an urban legend.

  5. Okay, Farkers... by Mmm+coffee · · Score: 5, Funny

    You know all those idiotic flamewars that spring up whenever the "irony" tag is used?

    Once and for all - THIS is irony. You can shut up now.

  6. A vulnerability is always a vulnerability. by JessLeah · · Score: 5, Insightful

    "A vulnerability is not a vulnerability till somebody discovers it." This sort of rubbish is a rather amusing reflection of corpthink.

    It's rather like saying "A law of Physics isn't a law of Physics until somebody discovers it."

    A vulnerability is a vulnerability, period... meaning that something is vulnerable. Whether or not anyone's yet realized it's vulnerable is another story.

    If you didn't put a lock on your door, would it "not be unlocked" until someone came by and realized that the door lacked a lock?

    --
    Honey, I shrunk the Cygwin
  7. Surprisingly honest by phorm · · Score: 5, Interesting

    I'm actually quite surprised that Symantec posted the notice about this publicly, rather than simply including an update in its next online patch.
    br Definately a bad vulnerability, but kudos for being honest about it. I wonder though how liable they are to damages... not good when antivirus software actually ends up trigging the infection.

  8. Actual Vulnerability Link by Talian · · Score: 4, Informative

    Got this link from Platinum support. UPX Parsing Engine Heap Overflow

    It provides a bit more information on the specific builds that are a problem. Affects a great deal of their software.

  9. More details here... by Otto · · Score: 5, Informative

    http://www.symantec.com/avcenter/security/Content/ 2005.02.08.html

    The gist of it is that there is a heap overflow in a part of the Symantec antivirus engine that they call DEC2EXE. This is a decoder for compressed executable files. The idea is that you have to decompress it to scan the thing, this module does the decompression.

    So a carefully crafted EXE file could overflow part of this code and cause arbitrary code execution.

    This module isn't just in Norton Antivirus, BTW, it's in a heck of a lot of Symantec Antivirus products. So if you're running any Symantec anti-virus product, not just the home consumer stuff, you might want to head over there and get a patch.

    --
    - Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
  10. Re:Yet another reason by Pionar · · Score: 4, Interesting

    Yada yada yada.

    Well, because AVG and Avast are free, they're less vulnerable, right?

    Bullshit.

    I like the hypocrisy of people criticizing Symantec's guy for touting security through obscurity, then turning around and preaching it themselves.

    And I'd like to see how these things work in a corporate environment. Oh, wait. They don't.

    Symantec has excellent corporate support and management features.

  11. Re:Immediate patch... by 1u3hr · · Score: 4, Insightful
    but there are people at my company who can barely use windows and you want a company to switch to a much less user friendly environment? The time to retrain people would be horrendous and not to mention training them on completely new software. Changing OS for individuals is not viable for most companies. PERIOD

    The ones who "can barely use windows" will complain that the start menu is in a different place and their screensaver won't work, otherwise they won't notice what they're using to type their memos, add up their expenses, or surf their porn. It's the "power users" who've wriiten macros and such who are the difficult ones. Budget for buying Crossover for them while you gradually wean them off.

    I worked in an office that due to absorbing other small companies, had CP/M, DOS, Win 3, Win 98, MacOS 7, MacOS 8, all in use, and the staff were mostly clueless; but instead of throwing a fit were mostly willing to spend the few minutes needed to locate the icons to open a word processor. print, email... and that covers 95% of what they needed. It's strange to me that it's assumed that office workers are complete sheep who will be thrown into a panic by the slightest change in their desktop; forgetting that anyone who's worked for 15 years has probably gone through DOS, Win 3/95/98/2K/XP, not to mention Wordstar/WordPerfect/Word5/6/WinWord; Lotus 123/Excel, etc, etc.

    Why should one more round of change be so hard, especially with most of the change actually being behind the scenes rather than in the interface -- "open file", "select (with mouse)" "change font", "print" are all the same except for minor cosmetic differences as far as the user is concerned, whatever platform and suite you're using.

  12. Affected corporate edition versions by zerofoo · · Score: 4, Informative

    I just got off the phone with my symantec rep, and he says any corporate edition anti-virus product 9.0.1.1000 or newer is not affected.

    Anyone with a valid license can go to Symantec's fileconnect website and download the newest version.

    -ted