Symantec Confirms AV Library Flaw, Promises Patch

← Back to Stories (view on slashdot.org)

Symantec Confirms AV Library Flaw, Promises Patch

Posted by CowboyNeal on Thursday December 22, 2005 @10:35PM from the watching-the-watchmen dept.

the_flyswatter writes "Anti-virus vendor Symantec Corp. has publicly acknowledged that a high-risk buffer overflow vulnerability in its AntiVirus Library could lead to code execution attacks when RAR archive files are scanned. The company confirmed the issue was a buffer overflow in the AntiVirus component used to decompose RAR (Roshal Archive) files. 'A specially crafted RAR file could potentially cause this buffer overflow to occur and execute hostile content from the RAR file,' the advisory read. The bug also affects 15 consumer products, including the widely deployed Symantec Norton AntiVirus, Symantec Norton Internet Security Professional, Norton Personal Firewall and Symantec Norton Internet Security for Macintosh."

31 of 133 comments (clear)

You know what this means - by mtrisk · 2005-12-22 22:38 · Score: 4, Funny

Installing Symantec on your Mac makes it LESS secure than it was before.

How ironic...

--

Without a proper flamewar, Anonymous was undecided on what shell to run.
1. Re:You know what this means - by moro_666 · 2005-12-22 23:21 · Score: 3, Funny
  
  It's also pretty ironic that if you wouldn't have symantec installed, you'd be safe from the virus in the rar archives.
  
  Getting your machine infected because you have an antivirus installed is definitely a new thing, way to go Symantec :)
  
  ps. why is there no (or where is it ?) opensource antivirus software for windows ? sure it would be heavy work to keep it up with all the viruses. but with some support from some foundations it would be a good thing.
  
  next thing coming along will drm software that prevents drm from protecting the content.... sony's turn ....
  
  --
  
  I'd tell you the chances of this story being a dupe, but you wouldn't like it.
2. Re:You know what this means - by ozmanjusri · 2005-12-22 23:31 · Score: 5, Informative
  
  ps. why is there no (or where is it ?) opensource antivirus software for windows ?
  
  http://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8 &q=opensource%20antivirus%20software%20for%20windo ws
  
  --
  "I've got more toys than Teruhisa Kitahara."
3. Re:You know what this means - by KiloByte · 2005-12-22 23:33 · Score: 3, Informative
  
  Actually, anti-virus software is nothing but snake oil and a money grab these days.
  
  Why?
  
  Once you get pwned, your system has been compromised. It's time for vetting any data, a thorough purge and reinstall. This applies both to real Unix systems and to Windows. These days, most virus/worm/spyware install 10-20 "friends", each updated on a frame of several days. It's pretty hard to get all of these, considering that most anti-crapware software has a detection rate of 30% or less (not counting any _old_ pests).
  
  Thus, as parent said, AV actually makes your system less secure, provided you or your OS follow at least some basic security rules; it adds no security while creating new holes on its own. Also, performance lost to the scanner wasting your memory and CPU is not free, either.
  
  Of course, if you're unlucky enough to work in tech support for Windows machines, this analysis doesn't apply. But, if you can get the boxes locked down, don't even bother paying the AV protection racket.
  
  --
  The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
4. Re:You know what this means - by Scarblac · 2005-12-23 00:00 · Score: 4, Funny
  
  Actually, anti-virus software is nothing but snake oil and a money grab these days.
  
  Why?
  
  Once you get pwned, your system has been compromised. It's time for vetting any data, a thorough purge and reinstall.
  
  Gee, that sounds serious, and these viruses don't tell you that they've just installed themselves. What someone should make then is some sort of software that scans your system for viruses and warns you if your system has been compromised...
  
  --
  I believe posters are recognized by their sig. So I made one.
5. Re:You know what this means - by S3D · 2005-12-23 00:21 · Score: 4, Informative
  
  Clam is not exactly for windows. Last time I've checked Win Clam was far behind Linux version. Free AVG seems a lot better for Windows, but not open sourced
6. Re:You know what this means - by thebes · 2005-12-23 02:19 · Score: 3, Insightful
  
  And the 14 year old speaks! Wow, I was just waiting for that. So, tell me, when was the last time you designed and built an operating system?
7. Re:You know what this means - by advocate_one · 2005-12-23 02:38 · Score: 2, Interesting
  
  actually, considering I cut my programming teeth way back in the early 70's and had to punch my programmes in on good old fashioned punched cards... built my first personal computer the hard way by having to solder EVERY connection, and had to code it by typing in the raw op codes, I think I'm ably qualified to tell you young whippersnappers, especially those inexperienced whippersnappers that Microsoft insists on using, where things are wrong...
  oh by the way, they have to pay me to use ms-windows... I use and code on Linux by personal choice. My daughters and my grandchildren also prefer Linux
  
  --
  Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
Why confess? by Jotii · 2005-12-22 22:41 · Score: 4, Interesting

Why did Symantec verify officially that this bug was present before fixing it? Now, evil RAR packages will probably be much more wide-spread than before.

--
[sig]
1. Re:Why confess? by wasudeo · 2005-12-22 23:01 · Score: 5, Informative
  
  FTA,
  
  Symantec didn't confess of their own accord. This vulnerability was publicised by a "security researcher" called Alex Wheeler.
That's what you get for by letdinosaursdie · 2005-12-22 22:42 · Score: 5, Insightful

The Microsoft solution to the Microsoft solution to the Microsoft solution to the Microsoft solution to the...
Re:Inherent problems with AV software by MichaelSmith · 2005-12-22 22:55 · Score: 4, Insightful

No thanks, AV software!
The exploit you really have to look out for is the one I send to you get a specific bit of information off your system, which sends the info to a maildrop and then deletes itself without ever calling attention to itself.

The viruses which propogate all over the place and get their footprints into antivirus databases are jokes, really.

--
http://michaelsmith.id.au
Morons by Anonymous Coward · 2005-12-22 22:57 · Score: 4, Insightful

The Windows worlds most widely deployed AV solution uses MSHtml to render it's GUI, that doesn't exactly inspire faith in symantec products. Security products should do one thing well, the very concept of the all encompassing consumer 'security' application suite is flawed and yet almost every Windows desktop security product has additional 'features'.
Computer security is not availiable in click-wrapped form, it's about time that companies stopped marketing software as some cure-all for lack of user education.
1. Re:Morons by jayloden · 2005-12-23 07:01 · Score: 2, Insightful
  
  Tell me about it. No more ability to scan in Safe Mode, no ability to run at all if the IE security settings are jacked up, and if mshtml is exploited, then Symantec's products are screwed.
  
  Whose brilliant idea was it to make an HTML GUI for a *security* product using libraries from the system that are easily compromised by unrelated events (IE security levels)?
  
  Right around the time they started with that was when I stopped recommending their products and started recommending AntiVir.
Symantec lost it a long time ago by Anonymous Coward · 2005-12-22 23:01 · Score: 2, Interesting

Our info security dept have advised us NOT to use Symantec AV products on our home PCs because, in their experience, they just don't work very well against a lot of the current crop of malware. You might as well use AVG and save the money. Norton AV also gets deep into a PC and is difficult to uninstall cleanly.
Re:Inherent problems with AV software by Zog+The+Undeniable · 2005-12-22 23:06 · Score: 2, Insightful

I agree. Your best defence on the Internet is a hardware firewall router and a well-developed bullshit detector. Doesn't slow your computer down.

--
When I am king, you will be first against the wall.
like it wasn't bad enought before by phntm · 2005-12-22 23:09 · Score: 5, Interesting

i'm a netadmin on an irc network and i've seen many zombie botnets, most of them are running "up-to-date" symantec antivirus products and feel safe while behind their backs their systems keep ddosing and hogging bandwith.
symantec doesn't make me feel safe for sure.
Avast by DavidHOzAu · 2005-12-22 23:12 · Score: 3, Informative

http://www.avast.com/ Just one more reason to stick with the free (as in beer) stuff.
Re:Inherent problems with AV software by MichaelSmith · 2005-12-22 23:18 · Score: 3, Interesting

Your best defence on the Internet is a hardware firewall router
If you have windows clients your internet gateway (web proxy, email server) needs to be aware of the sort of content which can impact the clients.

I lost a job supplying a linux router to a company with windows clients because the linux box just couldn't adequately protect the workstations.

Its not fair, but what is?

--
http://michaelsmith.id.au
buffer overflow in unrar? by wolf550e · 2005-12-22 23:21 · Score: 5, Interesting

Does anyone know if Symantec wrote their own unrar library that is insecure or have they used Roshal's free code which was probably known to be insecure and someone just discoverd they didn't bother to fix it before including in their products?
1. Re:buffer overflow in unrar? by MrKevvy · 2005-12-23 03:13 · Score: 2, Informative
  
  They appear to have written their own rather than using free RAR code, and I say this because they had a bug in previous incarnations of DEC2RAR.DLL (up to version 3.2.12.11) that I spent much effort trying to get them to fix almost exactly one year ago. It could not understand RAR archives, both standard and self-extracting, created by RAR versions 1.5x. The process and thus the antivirus would crash when trying to unpack them without any error being displayed or logged. This didn't affect Corporate Edition. In Dec. 2004 they released a LiveUpdate which updated DEC2RAR.DLL from 3.2.12.11 to 3.2.12.45
  
  So perhaps this is all my fault. :^) However, the affected version of the DLL is 3.2.14.3, and the one that they updated to was 3.2.12.45, which is still current on my NAV2005.
  
  --
  -- Insert witty one-liner here. --
Re:Who gives a shit by TorKlingberg · 2005-12-22 23:27 · Score: 2, Informative

Are you serious? RAR is a compression file format. There is noting illegal about it. And this could just as well have happened with any file format.

Also, I don't think you will be so happy when you get an infected RAR file in email, and Symantec AV decides it'd better scan the attatchment before you even read the email.
Tell uniformed users what AV can & can't do by Quirk · 2005-12-22 23:30 · Score: 4, Insightful

I stopped using Symantec Products when I moved on from Windows 98 as a multimedia/game/web OS. Symatec products burrowed too deep into the OS, were impossible to elegantly uninstall, and, the Norton Tool set really wasn't as necessary as it once was.
I figured Peter had unfolded his arms, dressed in a dinner jacket, and, gone out to celebrate having become one of the nouveau riche.
My biggest beef is not with the AV makers, but, rather, with the retail sales people who sell AV software and tell unknowledgeable buyers that their system is now protected against all malware, because, superduper AV ware scans everything before you use it and ensures no malware can execute.
I try to explain to people that AV is alot like a flu shot. It's good enough to give you some protection from the bugs we know are out there but is ineffective against the new, bad stuff coming down the pike.

--
"Academicians are more likely to share each other's toothbrush than each other's nomenclature."
Cohen
Wait wait wait... by Spazholio · 2005-12-22 23:30 · Score: 4, Funny

Fuck this "buffer overflow" crap. You mean to tell me RAR actually stands for something?
only version 10.x of Corporate Edition ... by Anonymous Coward · 2005-12-22 23:37 · Score: 4, Insightful

So according to the Symantec advisory the vulnerability is only present in version 10.x of the Corporate Edition. And there I was, thinking it was about time to upgrade from 8.1 that we're running at work ... not anymore!
Return of.. by Egregius · 2005-12-22 23:59 · Score: 2, Interesting

Return of the virusses that activate when scanned over. Last time this happened was in..what? The eighties? I always wondered how it was possible for code to become active when scanned over, but now that I do, I really have to frown at this.
Re:Inherent problems with AV software by wombatmobile · 2005-12-23 00:21 · Score: 3, Funny

And the part about "Formatting Windows" only make it sound like you're incompetent.

Give me a break, please. I just swapped over from CP/M.
Re:Inherent problems with AV software by advocate_one · 2005-12-23 00:45 · Score: 2, Informative

so the best defence is to hide behind a hardware firewall router then... what's running on that firewall router??? bet you anything it's most likely Linux...

--
Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
Why AV Is Innefective from Malware POV by TheUncleD · 2005-12-23 00:48 · Score: 4, Informative

Coding or I should say, 'Encoding has come a long ways.' - Crackers and bot programmers have become increasingly smarter, realizing how programs such as Norton scan through software programs that are "bots" are in order to detect ones which they consider viruses. To understand how the latest virus writers are avoiding detection, you must understand the concepts of randomization, encoding, compiling and packing.
A normal software program compiled has strings in it which can be matched when scanned through. It examines what are known as string literals. There are even some programs for certain compilers that exist to recreate source code from compiled programs but that is a tangent. What we're dealing with here are encoded strings. If Norton knows how to match a program exactly based on certain strings it can match in the software, it can detect it in all cases, bot discovered, no more botpack.
Here's what the smart botpack coders are attempting to do and in many cases doing effectively: They understand that Norton can scan their compiled bot, once it knows the strings to look for inside of it, and release in its Liveupdate a way for all people infected to remove it. Given this, they must either constantly compete with Nortons LiveUpdate's or find another method. If they are savvy enough or greedy enough, they'll find a way to have coded a packer which encodes uniquely every time it packs. For more information on packing in relationship to viruses, its in the field of Anti-Virus Heuristics. A very well known packer is UPX which you can search for and find more about. Many modifications of this packer exist. Essentially a bot"packer" is packing their bots uniquely, obscuring the strings from norton with every pack, meaning every bot appears unique and cannot be identified from any other bot. Of course, bots would probably have unique names or be titled something normally running on a machine such as svchost.exe as a process. This is the common trick and until AntiVirus makers can either employ programmers who can outsmart the encoding schemes these packers are using or users smarten up, its a tough situation for all who download anything from an untrusted source (someone besides your grandmother - and even then!).
1. Re:Why AV Is Innefective from Malware POV by Egregius · 2005-12-23 07:05 · Score: 2, Insightful
  
  What if we encrypted our virus with a random encryption, and only the decrypter could be scanned for? Well, if we did that, we'd be doing what viruswriters were doing late eighties/early nineties. What ever came of it? Anti-virus writers outsmarted the viruswriters, by actually scanning for the decoding pieces or patterns in the code that indicated certain types of encryption.
  
  Now we're slightly further down the road, and we moved from encrypted to oligomorphic (weak polymorphism) to polymorhpic to metamorphic code. Metamorphic code is code that completely changes from generation to generation (read up on the MetaPHOR virus and metamorphism for more details). And yet..anti-virus writers still manage to detect these (with great difficulty however), and have been for quite a while. Metamorphic viruses are incredibly complex however, so you won't see them in the wild often because they're hard to create, and there's hardly any niche for viruses any more. Either your malware is a worm that understands open ports and/or mailing itself to others, or it's a internet-unaware virus that remains stuck on the hard disk.
  
  Grand-grand-parent's post thus adds little to the discussion. What he speaks of is 1.5 decennia old, and has NOTHING to do with the current article: a well-known anti-virus vendor allowing malicious code-execution through a buffer-overflow. Mods: please mod his pointlessly bolded post 'overrated'. A '5' is dissapointingly high for this geek crowd.
Re:Deep Freeze by Cecil · 2005-12-23 03:48 · Score: 2, Funny

Oh. So you're to blame for all the spam I get. Thanks, asshole.

Running a virus for 24 hours really sucks anyway. Also, I hope you never run into one that flashes your BIOS.

--
Random and weird software I've written.