Slashdot Mirror

← Back to Stories (view on slashdot.org)

Symantec Confirms AV Library Flaw, Promises Patch

Posted by CowboyNeal on from the watching-the-watchmen dept.

the_flyswatter writes "Anti-virus vendor Symantec Corp. has publicly acknowledged that a high-risk buffer overflow vulnerability in its AntiVirus Library could lead to code execution attacks when RAR archive files are scanned. The company confirmed the issue was a buffer overflow in the AntiVirus component used to decompose RAR (Roshal Archive) files. 'A specially crafted RAR file could potentially cause this buffer overflow to occur and execute hostile content from the RAR file,' the advisory read. The bug also affects 15 consumer products, including the widely deployed Symantec Norton AntiVirus, Symantec Norton Internet Security Professional, Norton Personal Firewall and Symantec Norton Internet Security for Macintosh."

21 of 133 comments (clear)

  1. You know what this means - by mtrisk · · Score: 4, Funny

    Installing Symantec on your Mac makes it LESS secure than it was before.

    How ironic...

    --

    Without a proper flamewar, Anonymous was undecided on what shell to run.
    1. Re:You know what this means - by moro_666 · · Score: 3, Funny

      It's also pretty ironic that if you wouldn't have symantec installed, you'd be safe from the virus in the rar archives.

        Getting your machine infected because you have an antivirus installed is definitely a new thing, way to go Symantec :)

        ps. why is there no (or where is it ?) opensource antivirus software for windows ? sure it would be heavy work to keep it up with all the viruses. but with some support from some foundations it would be a good thing.

      next thing coming along will drm software that prevents drm from protecting the content.... sony's turn ....

      --

      I'd tell you the chances of this story being a dupe, but you wouldn't like it.
    2. Re:You know what this means - by ozmanjusri · · Score: 5, Informative

      ps. why is there no (or where is it ?) opensource antivirus software for windows ?

      http://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8 &q=opensource%20antivirus%20software%20for%20windo ws

      --
      "I've got more toys than Teruhisa Kitahara."
    3. Re:You know what this means - by KiloByte · · Score: 3, Informative

      Actually, anti-virus software is nothing but snake oil and a money grab these days.

      Why?

      Once you get pwned, your system has been compromised. It's time for vetting any data, a thorough purge and reinstall. This applies both to real Unix systems and to Windows. These days, most virus/worm/spyware install 10-20 "friends", each updated on a frame of several days. It's pretty hard to get all of these, considering that most anti-crapware software has a detection rate of 30% or less (not counting any _old_ pests).

      Thus, as parent said, AV actually makes your system less secure, provided you or your OS follow at least some basic security rules; it adds no security while creating new holes on its own. Also, performance lost to the scanner wasting your memory and CPU is not free, either.

      Of course, if you're unlucky enough to work in tech support for Windows machines, this analysis doesn't apply. But, if you can get the boxes locked down, don't even bother paying the AV protection racket.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    4. Re:You know what this means - by Scarblac · · Score: 4, Funny

      Actually, anti-virus software is nothing but snake oil and a money grab these days.

      Why?

      Once you get pwned, your system has been compromised. It's time for vetting any data, a thorough purge and reinstall.

      Gee, that sounds serious, and these viruses don't tell you that they've just installed themselves. What someone should make then is some sort of software that scans your system for viruses and warns you if your system has been compromised...

      --
      I believe posters are recognized by their sig. So I made one.
    5. Re:You know what this means - by S3D · · Score: 4, Informative

      Clam is not exactly for windows. Last time I've checked Win Clam was far behind Linux version. Free AVG seems a lot better for Windows, but not open sourced

    6. Re:You know what this means - by thebes · · Score: 3, Insightful

      And the 14 year old speaks! Wow, I was just waiting for that. So, tell me, when was the last time you designed and built an operating system?

  2. Why confess? by Jotii · · Score: 4, Interesting

    Why did Symantec verify officially that this bug was present before fixing it? Now, evil RAR packages will probably be much more wide-spread than before.

    --
    [sig]
    1. Re:Why confess? by wasudeo · · Score: 5, Informative

      FTA,

      Symantec didn't confess of their own accord. This vulnerability was publicised by a "security researcher" called Alex Wheeler.

  3. That's what you get for by letdinosaursdie · · Score: 5, Insightful

    The Microsoft solution to the Microsoft solution to the Microsoft solution to the Microsoft solution to the...

  4. Re:Inherent problems with AV software by MichaelSmith · · Score: 4, Insightful
    No thanks, AV software!

    The exploit you really have to look out for is the one I send to you get a specific bit of information off your system, which sends the info to a maildrop and then deletes itself without ever calling attention to itself.

    The viruses which propogate all over the place and get their footprints into antivirus databases are jokes, really.

    --
    http://michaelsmith.id.au
  5. Morons by Anonymous Coward · · Score: 4, Insightful
    The Windows worlds most widely deployed AV solution uses MSHtml to render it's GUI, that doesn't exactly inspire faith in symantec products. Security products should do one thing well, the very concept of the all encompassing consumer 'security' application suite is flawed and yet almost every Windows desktop security product has additional 'features'.

    Computer security is not availiable in click-wrapped form, it's about time that companies stopped marketing software as some cure-all for lack of user education.

  6. like it wasn't bad enought before by phntm · · Score: 5, Interesting

    i'm a netadmin on an irc network and i've seen many zombie botnets, most of them are running "up-to-date" symantec antivirus products and feel safe while behind their backs their systems keep ddosing and hogging bandwith.
    symantec doesn't make me feel safe for sure.

  7. Avast by DavidHOzAu · · Score: 3, Informative

    http://www.avast.com/ Just one more reason to stick with the free (as in beer) stuff.

  8. Re:Inherent problems with AV software by MichaelSmith · · Score: 3, Interesting
    Your best defence on the Internet is a hardware firewall router

    If you have windows clients your internet gateway (web proxy, email server) needs to be aware of the sort of content which can impact the clients.

    I lost a job supplying a linux router to a company with windows clients because the linux box just couldn't adequately protect the workstations.

    Its not fair, but what is?

    --
    http://michaelsmith.id.au
  9. buffer overflow in unrar? by wolf550e · · Score: 5, Interesting

    Does anyone know if Symantec wrote their own unrar library that is insecure or have they used Roshal's free code which was probably known to be insecure and someone just discoverd they didn't bother to fix it before including in their products?

  10. Tell uniformed users what AV can & can't do by Quirk · · Score: 4, Insightful
    I stopped using Symantec Products when I moved on from Windows 98 as a multimedia/game/web OS. Symatec products burrowed too deep into the OS, were impossible to elegantly uninstall, and, the Norton Tool set really wasn't as necessary as it once was.

    I figured Peter had unfolded his arms, dressed in a dinner jacket, and, gone out to celebrate having become one of the nouveau riche.

    My biggest beef is not with the AV makers, but, rather, with the retail sales people who sell AV software and tell unknowledgeable buyers that their system is now protected against all malware, because, superduper AV ware scans everything before you use it and ensures no malware can execute.

    I try to explain to people that AV is alot like a flu shot. It's good enough to give you some protection from the bugs we know are out there but is ineffective against the new, bad stuff coming down the pike.

    --
    "Academicians are more likely to share each other's toothbrush than each other's nomenclature."
    Cohen
  11. Wait wait wait... by Spazholio · · Score: 4, Funny

    Fuck this "buffer overflow" crap. You mean to tell me RAR actually stands for something?

  12. only version 10.x of Corporate Edition ... by Anonymous Coward · · Score: 4, Insightful

    So according to the Symantec advisory the vulnerability is only present in version 10.x of the Corporate Edition. And there I was, thinking it was about time to upgrade from 8.1 that we're running at work ... not anymore!

  13. Re:Inherent problems with AV software by wombatmobile · · Score: 3, Funny

    And the part about "Formatting Windows" only make it sound like you're incompetent.

    Give me a break, please. I just swapped over from CP/M.

  14. Why AV Is Innefective from Malware POV by TheUncleD · · Score: 4, Informative
    Coding or I should say, 'Encoding has come a long ways.' - Crackers and bot programmers have become increasingly smarter, realizing how programs such as Norton scan through software programs that are "bots" are in order to detect ones which they consider viruses. To understand how the latest virus writers are avoiding detection, you must understand the concepts of randomization, encoding, compiling and packing.

    A normal software program compiled has strings in it which can be matched when scanned through. It examines what are known as string literals. There are even some programs for certain compilers that exist to recreate source code from compiled programs but that is a tangent. What we're dealing with here are encoded strings. If Norton knows how to match a program exactly based on certain strings it can match in the software, it can detect it in all cases, bot discovered, no more botpack.
    Here's what the smart botpack coders are attempting to do and in many cases doing effectively: They understand that Norton can scan their compiled bot, once it knows the strings to look for inside of it, and release in its Liveupdate a way for all people infected to remove it. Given this, they must either constantly compete with Nortons LiveUpdate's or find another method. If they are savvy enough or greedy enough, they'll find a way to have coded a packer which encodes uniquely every time it packs. For more information on packing in relationship to viruses, its in the field of Anti-Virus Heuristics. A very well known packer is UPX which you can search for and find more about. Many modifications of this packer exist. Essentially a bot"packer" is packing their bots uniquely, obscuring the strings from norton with every pack, meaning every bot appears unique and cannot be identified from any other bot. Of course, bots would probably have unique names or be titled something normally running on a machine such as svchost.exe as a process. This is the common trick and until AntiVirus makers can either employ programmers who can outsmart the encoding schemes these packers are using or users smarten up, its a tough situation for all who download anything from an untrusted source (someone besides your grandmother - and even then!).