Slashdot Mirror
Symantec Confirms AV Library Flaw, Promises Patch
the_flyswatter writes "Anti-virus vendor Symantec Corp. has publicly acknowledged that a high-risk buffer overflow vulnerability in its AntiVirus Library could lead to code execution attacks when RAR archive files are scanned.
The company confirmed the issue was a buffer overflow in the AntiVirus component used to decompose RAR (Roshal Archive) files.
'A specially crafted RAR file could potentially cause this buffer overflow to occur and execute hostile content from the RAR file,' the advisory read. The bug also affects 15 consumer products, including the widely deployed Symantec Norton AntiVirus, Symantec Norton Internet Security Professional, Norton Personal Firewall and Symantec Norton Internet Security for Macintosh."
FTA,
Symantec didn't confess of their own accord. This vulnerability was publicised by a "security researcher" called Alex Wheeler.
http://www.avast.com/ Just one more reason to stick with the free (as in beer) stuff.
Are you serious? RAR is a compression file format. There is noting illegal about it. And this could just as well have happened with any file format.
Also, I don't think you will be so happy when you get an infected RAR file in email, and Symantec AV decides it'd better scan the attatchment before you even read the email.
ps. why is there no (or where is it ?) opensource antivirus software for windows ?
8 &q=opensource%20antivirus%20software%20for%20windo ws
http://www.google.com/search?lr=&ie=UTF-8&oe=UTF-
"I've got more toys than Teruhisa Kitahara."
Actually, anti-virus software is nothing but snake oil and a money grab these days.
Why?
Once you get pwned, your system has been compromised. It's time for vetting any data, a thorough purge and reinstall. This applies both to real Unix systems and to Windows. These days, most virus/worm/spyware install 10-20 "friends", each updated on a frame of several days. It's pretty hard to get all of these, considering that most anti-crapware software has a detection rate of 30% or less (not counting any _old_ pests).
Thus, as parent said, AV actually makes your system less secure, provided you or your OS follow at least some basic security rules; it adds no security while creating new holes on its own. Also, performance lost to the scanner wasting your memory and CPU is not free, either.
Of course, if you're unlucky enough to work in tech support for Windows machines, this analysis doesn't apply. But, if you can get the boxes locked down, don't even bother paying the AV protection racket.
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
Clam is not exactly for windows. Last time I've checked Win Clam was far behind Linux version. Free AVG seems a lot better for Windows, but not open sourced
Hmm, good question. Let's see what else you said:
I haven't seen squat for innovation in years. It is if they don't put any effort into it. It's just the same old product re-hashed, only it sucks worse.
Wow, sounds bad. Why wouldn't Symantec improve their product? Oh, wait, you also said:
I've been buying symantec systems works every year
Ah, I think you just answered your own question...
so the best defence is to hide behind a hardware firewall router then... what's running on that firewall router??? bet you anything it's most likely Linux...
Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
A normal software program compiled has strings in it which can be matched when scanned through. It examines what are known as string literals. There are even some programs for certain compilers that exist to recreate source code from compiled programs but that is a tangent. What we're dealing with here are encoded strings. If Norton knows how to match a program exactly based on certain strings it can match in the software, it can detect it in all cases, bot discovered, no more botpack.
Here's what the smart botpack coders are attempting to do and in many cases doing effectively: They understand that Norton can scan their compiled bot, once it knows the strings to look for inside of it, and release in its Liveupdate a way for all people infected to remove it. Given this, they must either constantly compete with Nortons LiveUpdate's or find another method. If they are savvy enough or greedy enough, they'll find a way to have coded a packer which encodes uniquely every time it packs. For more information on packing in relationship to viruses, its in the field of Anti-Virus Heuristics. A very well known packer is UPX which you can search for and find more about. Many modifications of this packer exist. Essentially a bot"packer" is packing their bots uniquely, obscuring the strings from norton with every pack, meaning every bot appears unique and cannot be identified from any other bot. Of course, bots would probably have unique names or be titled something normally running on a machine such as svchost.exe as a process. This is the common trick and until AntiVirus makers can either employ programmers who can outsmart the encoding schemes these packers are using or users smarten up, its a tough situation for all who download anything from an untrusted source (someone besides your grandmother - and even then!).
They appear to have written their own rather than using free RAR code, and I say this because they had a bug in previous incarnations of DEC2RAR.DLL (up to version 3.2.12.11) that I spent much effort trying to get them to fix almost exactly one year ago. It could not understand RAR archives, both standard and self-extracting, created by RAR versions 1.5x. The process and thus the antivirus would crash when trying to unpack them without any error being displayed or logged. This didn't affect Corporate Edition. In Dec. 2004 they released a LiveUpdate which updated DEC2RAR.DLL from 3.2.12.11 to 3.2.12.45
:^) However, the affected version of the DLL is 3.2.14.3, and the one that they updated to was 3.2.12.45, which is still current on my NAV2005.
So perhaps this is all my fault.
-- Insert witty one-liner here. --