Slashdot Mirror

← Back to Stories (view on slashdot.org)

Symantec Confirms AV Library Flaw, Promises Patch

Posted by CowboyNeal on from the watching-the-watchmen dept.

the_flyswatter writes "Anti-virus vendor Symantec Corp. has publicly acknowledged that a high-risk buffer overflow vulnerability in its AntiVirus Library could lead to code execution attacks when RAR archive files are scanned. The company confirmed the issue was a buffer overflow in the AntiVirus component used to decompose RAR (Roshal Archive) files. 'A specially crafted RAR file could potentially cause this buffer overflow to occur and execute hostile content from the RAR file,' the advisory read. The bug also affects 15 consumer products, including the widely deployed Symantec Norton AntiVirus, Symantec Norton Internet Security Professional, Norton Personal Firewall and Symantec Norton Internet Security for Macintosh."

15 of 133 comments (clear)

  1. You know what this means - by mtrisk · · Score: 4, Funny

    Installing Symantec on your Mac makes it LESS secure than it was before.

    How ironic...

    --

    Without a proper flamewar, Anonymous was undecided on what shell to run.
    1. Re:You know what this means - by ozmanjusri · · Score: 5, Informative

      ps. why is there no (or where is it ?) opensource antivirus software for windows ?

      http://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8 &q=opensource%20antivirus%20software%20for%20windo ws

      --
      "I've got more toys than Teruhisa Kitahara."
    2. Re:You know what this means - by Scarblac · · Score: 4, Funny

      Actually, anti-virus software is nothing but snake oil and a money grab these days.

      Why?

      Once you get pwned, your system has been compromised. It's time for vetting any data, a thorough purge and reinstall.

      Gee, that sounds serious, and these viruses don't tell you that they've just installed themselves. What someone should make then is some sort of software that scans your system for viruses and warns you if your system has been compromised...

      --
      I believe posters are recognized by their sig. So I made one.
    3. Re:You know what this means - by S3D · · Score: 4, Informative

      Clam is not exactly for windows. Last time I've checked Win Clam was far behind Linux version. Free AVG seems a lot better for Windows, but not open sourced

  2. Why confess? by Jotii · · Score: 4, Interesting

    Why did Symantec verify officially that this bug was present before fixing it? Now, evil RAR packages will probably be much more wide-spread than before.

    --
    [sig]
    1. Re:Why confess? by wasudeo · · Score: 5, Informative

      FTA,

      Symantec didn't confess of their own accord. This vulnerability was publicised by a "security researcher" called Alex Wheeler.

  3. That's what you get for by letdinosaursdie · · Score: 5, Insightful

    The Microsoft solution to the Microsoft solution to the Microsoft solution to the Microsoft solution to the...

  4. Re:Inherent problems with AV software by MichaelSmith · · Score: 4, Insightful
    No thanks, AV software!

    The exploit you really have to look out for is the one I send to you get a specific bit of information off your system, which sends the info to a maildrop and then deletes itself without ever calling attention to itself.

    The viruses which propogate all over the place and get their footprints into antivirus databases are jokes, really.

    --
    http://michaelsmith.id.au
  5. Morons by Anonymous Coward · · Score: 4, Insightful
    The Windows worlds most widely deployed AV solution uses MSHtml to render it's GUI, that doesn't exactly inspire faith in symantec products. Security products should do one thing well, the very concept of the all encompassing consumer 'security' application suite is flawed and yet almost every Windows desktop security product has additional 'features'.

    Computer security is not availiable in click-wrapped form, it's about time that companies stopped marketing software as some cure-all for lack of user education.

  6. like it wasn't bad enought before by phntm · · Score: 5, Interesting

    i'm a netadmin on an irc network and i've seen many zombie botnets, most of them are running "up-to-date" symantec antivirus products and feel safe while behind their backs their systems keep ddosing and hogging bandwith.
    symantec doesn't make me feel safe for sure.

  7. buffer overflow in unrar? by wolf550e · · Score: 5, Interesting

    Does anyone know if Symantec wrote their own unrar library that is insecure or have they used Roshal's free code which was probably known to be insecure and someone just discoverd they didn't bother to fix it before including in their products?

  8. Tell uniformed users what AV can & can't do by Quirk · · Score: 4, Insightful
    I stopped using Symantec Products when I moved on from Windows 98 as a multimedia/game/web OS. Symatec products burrowed too deep into the OS, were impossible to elegantly uninstall, and, the Norton Tool set really wasn't as necessary as it once was.

    I figured Peter had unfolded his arms, dressed in a dinner jacket, and, gone out to celebrate having become one of the nouveau riche.

    My biggest beef is not with the AV makers, but, rather, with the retail sales people who sell AV software and tell unknowledgeable buyers that their system is now protected against all malware, because, superduper AV ware scans everything before you use it and ensures no malware can execute.

    I try to explain to people that AV is alot like a flu shot. It's good enough to give you some protection from the bugs we know are out there but is ineffective against the new, bad stuff coming down the pike.

    --
    "Academicians are more likely to share each other's toothbrush than each other's nomenclature."
    Cohen
  9. Wait wait wait... by Spazholio · · Score: 4, Funny

    Fuck this "buffer overflow" crap. You mean to tell me RAR actually stands for something?

  10. only version 10.x of Corporate Edition ... by Anonymous Coward · · Score: 4, Insightful

    So according to the Symantec advisory the vulnerability is only present in version 10.x of the Corporate Edition. And there I was, thinking it was about time to upgrade from 8.1 that we're running at work ... not anymore!

  11. Why AV Is Innefective from Malware POV by TheUncleD · · Score: 4, Informative
    Coding or I should say, 'Encoding has come a long ways.' - Crackers and bot programmers have become increasingly smarter, realizing how programs such as Norton scan through software programs that are "bots" are in order to detect ones which they consider viruses. To understand how the latest virus writers are avoiding detection, you must understand the concepts of randomization, encoding, compiling and packing.

    A normal software program compiled has strings in it which can be matched when scanned through. It examines what are known as string literals. There are even some programs for certain compilers that exist to recreate source code from compiled programs but that is a tangent. What we're dealing with here are encoded strings. If Norton knows how to match a program exactly based on certain strings it can match in the software, it can detect it in all cases, bot discovered, no more botpack.
    Here's what the smart botpack coders are attempting to do and in many cases doing effectively: They understand that Norton can scan their compiled bot, once it knows the strings to look for inside of it, and release in its Liveupdate a way for all people infected to remove it. Given this, they must either constantly compete with Nortons LiveUpdate's or find another method. If they are savvy enough or greedy enough, they'll find a way to have coded a packer which encodes uniquely every time it packs. For more information on packing in relationship to viruses, its in the field of Anti-Virus Heuristics. A very well known packer is UPX which you can search for and find more about. Many modifications of this packer exist. Essentially a bot"packer" is packing their bots uniquely, obscuring the strings from norton with every pack, meaning every bot appears unique and cannot be identified from any other bot. Of course, bots would probably have unique names or be titled something normally running on a machine such as svchost.exe as a process. This is the common trick and until AntiVirus makers can either employ programmers who can outsmart the encoding schemes these packers are using or users smarten up, its a tough situation for all who download anything from an untrusted source (someone besides your grandmother - and even then!).