Symantec Antivirus May Execute Virus Code

An anonymous reader writes "Symantec has admitted that a serious vulnerability exists in the way its scanning engine handles Ultimate Packer for Executables. According to a ZDNet article, this means the scanner would execute the malicious program instead of catching it. Tim Hartman, senior technical director for Symantec Asia Pacific, said: "A vulnerability is not a vulnerability till somebody discovers it but because this is now known, somebody could craft an e-mail, mass mailer or a virus that takes advantage of it. It affects our firewalls, antispam, all the retail products and the enterprise products as well"" Symantec recommends you immediately patch your software.

Immediately patch? Really?

[dtfinch]

"No updates available for this product."

I've checked several versions, starting with the corporate edition which we use.

Re:Immediately patch? Really?

[mrighi]

That's because they gave out the wrong link. What they really meant to say was, "Symantec recommends you immediately patch your software."

Re:Immediately patch? Really?

Symantec has known about this, and they've been rolling out patches in the latest builds and maintenance releases for a little while. If you've been running liveupdate and no updates are available, you're good to go. The list of vulnerable and nonvulnerable builds is available on the Symantec advisory.

Re:Immediately patch? Really?

[Sethb]

If you're running Corporate Edition, you won't be getting the patch via LiveUpdate. You need to call their tech support line with your serial number or contact/contract number, and they'll give you the information (FTP site and password) for obtaining the 9.0 MR3 update for SAV Corporate Edition. This updates the software to version 9.0.3.1000

Some of the earlier Maintenance Releases aren't vulnerable either, but MR3 is the newest. If you're still on vanilla 9.0.0.338, you need to update ASAP, the same applies if you're on the update revision that made SAV CE work with the Windows SP2 Security Control Panel, version 9.0.0.1400.

Since it's "Corporate Edition", Symantec assumes that you're managing these desktops and wants to control when you push patches to them, so now you get to do just that. :) The good news is that you can use the remote client installer to just lay the new version over the old one via the network (or push a new .msi file via Group Policy, or run the update in a login script). Make sure you upgrade your servers before doing the clients, Symantec (or at least the rep I talked to) suggests completely removing the server (via add/remove programs) and installing the new version, not merely doing an upate.

Better than just free

[Dancin_Santa]

I use AVG on all my company systems and can say that in addition to being free, AVG provides the best anti-virus protection around. After F-Prot started losing ground to Windows-based scanners, AVG has done a remarkable job in stepping up to the plate.

AVG, free and worry free. (This was not a paid endorsement)

Re:Better than just free

[Zlib+pt]

"I use AVG on all my company systems and can say that in addition to being free"

On http://free.grisoft.com/freeweb.php/doc/2/

"Use of AVG Free Edition within any organization or for commercial purposes is strictly prohibited."

Re:Better than just free

[Rick+Zeman]

As long as it's not company policy ie. each employee that uses it is installing it for personal use, it's free.

I worked for a company that refused to pay for AV, and we all had it on our desktops, except the managers.

So what part of "home" did you all deliberately misunderstand?

huh?

[justforaday]

"A vulnerability is not a vulnerability till somebody discovers it..."

Huh? So if someone inadvertently takes advantage of a vulnerability, it's not really a vulnerability because they didn't explicitly know they were taking advantage of it?

Sheer brilliance

[stinky+wizzleteats]

From TFA:

A vulnerability is not a vulnerability till somebody discovers it

So that's how security works! Supress knowledge of the problem!

It's nice to see that Symantec's corporate culture hasn't changed very much since the days when Peter Norton thought computer viruses were an urban legend.

Okay, Farkers...

[Mmm+coffee]

You know all those idiotic flamewars that spring up whenever the "irony" tag is used?

Once and for all - THIS is irony. You can shut up now.

A vulnerability is always a vulnerability.

[JessLeah]

"A vulnerability is not a vulnerability till somebody discovers it." This sort of rubbish is a rather amusing reflection of corpthink.

It's rather like saying "A law of Physics isn't a law of Physics until somebody discovers it."

A vulnerability is a vulnerability, period... meaning that something is vulnerable. Whether or not anyone's yet realized it's vulnerable is another story.

If you didn't put a lock on your door, would it "not be unlocked" until someone came by and realized that the door lacked a lock?

Surprisingly honest

[phorm]

I'm actually quite surprised that Symantec posted the notice about this publicly, rather than simply including an update in its next online patch.
br Definately a bad vulnerability, but kudos for being honest about it. I wonder though how liable they are to damages... not good when antivirus software actually ends up trigging the infection.

More details here...

[Otto]

http://www.symantec.com/avcenter/security/Content/ 2005.02.08.html

The gist of it is that there is a heap overflow in a part of the Symantec antivirus engine that they call DEC2EXE. This is a decoder for compressed executable files. The idea is that you have to decompress it to scan the thing, this module does the decompression.

So a carefully crafted EXE file could overflow part of this code and cause arbitrary code execution.

This module isn't just in Norton Antivirus, BTW, it's in a heck of a lot of Symantec Antivirus products. So if you're running any Symantec anti-virus product, not just the home consumer stuff, you might want to head over there and get a patch.