Slashdot Mirror
Symantec AntiVirus Hole Found
Hotwater Mountain writes "eWeek has a story about a gaping security flaw in the latest versions of Symantec's anti-virus software suite that could put millions of users at risk of a debilitating worm attack. According to eEye Digital Security, the company that discovered the flaw, the vulnerability could be exploited by remote hackers to take complete control of the target machine 'without any user action.'"
i bet June 7th 2006
jsut because they release updates on wensdays and i don't thing they will have a cert'ed patch ready by wensday as this is a holiday weekend and their customers don't matter to them (at least the ones that could be infected)
'...if only "Jumping to a Conclusion" was an event in the Olympics.'
I had a bit of a problem a few years ago with SpyWare, first I Installed a IE plugin and then moved to FireFox.
These 'Security' behemoths are insane. They hog 20%+ of computer resources with their 'real time scanning'. The only time anything needs to be scanned is when it's first comming to your computer. Downloads need to be scanned, that's it! If I download something questionable, I'll run it through Trend Micro online scan before running.
Daily backups are the key. And not Whole Fucking Hard Drive Backups like most insane backup programs want to do. Backup your damn documents and data.
Firefox and a little common sense and this whole virus/spyware thing is just not an issue for me. I haven't run SpyBot/AdAware since last year. I occasionally scan my download folder with TM Online.
Recent history:
Does anyone else feel that this time line suggests that the last item or two might be part of a hidden agenda? Are we witnessing the start of a FUD throwing contest between two of the industry's major players?
I am so confused. What web news publishers should I now put my faith in?
My company has invested in Symantec Antivirus Corporate Edition, and while I do like the centralized management features and the Symantec Antivirus Client's unobtrusive nature, these exploits (and there have been several for version 10 alone) are getting ridiculous. With antivirus on the gateway catching 99.9% of the incoming viruses, and account restrictions for users preventing them from doing any real damage if they do get infected, it seems like Symantec Antivirus serves more as a vector of virus and worm attacks than a layer of protection against them. The fact that we pay thousands of dollars a year for the privilege makes it that much worse.
Has anyone deployed something other than Symantec Antivirus in a 250 PC company? If so, I'd like to hear your experiences.
I work at a big stupid company that has a site license for Rational Clearcase, a totally retarded product we are forced to use by upper management. Fortunately, SAV 10 is incompatible with the Clearcase Windows client- it diagnoses it as malware and attempts to remove the "infection". So we cannot upgrade from SAV 9. When they were doing the automated rollouts a few days ago, we had to send our machine names to the CC administrator to prevent the upgrade process from installing SAV 10 on our machines.
So now we don't have to worry about this security hole, which means we can finally say that something good came out of using Rational Clearcase.
I'm getting tired, keep up with all these holes that need to get fixed to save my employment of a basic pay cheque.
We need to fix root cause of the problem. Not restore service, but fix it.
It's time to tackle this problem at the compiler level. Get rid of the various IDE wizards, where the latest summer student can spend 5 minutes building a so called enterprise class application.
Instead of the next dual core processor, maybe the industry could spend some time on software and get it right.
My NAV is using a total of 9Mb RAM on my system as I type. It's always been more reliable in catching viruses than AVG, too.
What's this? Another weblog? On transit?
The advisory is rather bleak at the moment, so following is pure speculation:
Past exploits in software firewalls where issues in the packet inspection engine. The engine packs itself infront of the tcpip stack of windows and inspects _every_ packet that goes in or out, regardless of wheter it connects to some port or not. This is done in order to log the packet and to reassure the user with annoying popups that his investment was worth his money.
Back to antivirus: This thing also scans email. It does this by scanning the traffic on pop3 and imap ports. My suspicion is that it does this regardless of the connection state. E.g. if you send packets from port 110 to the target machine it probably inspects them, even if the target machine isn't currently downloading any email. Again: this is speculation on my part.
To answer the parent's questions:
If the above is the case:
- Do I have to browse to a malicious website?
Probably not.
- Do I have to download an infected file for it to scan?
It's possible that the worm also works when an email is scanned. So if you recieve an email that has such a virus attached your machine would be also infected even if you'd use a hardware firewall.
- Does it somehow come in on Live Update?
Unlikley. You'd have to do a man in the middle attack for that. E.g. capture the users dns traffic or route his traffic through the mitm. Both rather unlikley in an Internet scenario unless you have a _really_ lousy provider.
- What if I have a firewall?
In a connection-state tracking software firewall it would matter in what comes first: the antivirus or the firewall. A hardware firewall would protect you better as it comes first in any case, but it wouldn't protect you from an exploit that travels from your e-mail account to your machine.
IMO symantec products all suffer from bloat:
- Way too many features, no average user can comprehend. (and i have a suspicion that the devlopers don't either.)
- The install base from the complete package is probably above 100MB. I think a firewall and
antivirus should be doable in a fraction of that. (excluding signature files)
- They slow the systems they are installed to to a crawl.
- I get 5+ support calls a day that deal with broken symantec products. (e-mail and internet related.)
Please use FreeAVG, AntiVir or learn how to use ClamAV!
Better yet: install FOSS software like i have done years ago, and get rid of _all_ these problems in an instant.
Avast!
AVG Anti-Virus
Firewall?
Just wait until some PHB or road warior brings thier laptop in and it is infected. Or my favorite, Someone (law clerk) was bringing in Files that her computer at home wouldn't open corectly to see if the work computers could open them because they seem to do more. I guess the idea was to make sure they weren't needed before they got deleted.
And what of the firewall is a nortan product? or spread VIA email too. Ohh well
How the exploit functions (a loose theory) 1. It is widely accepted that the Corporate versions of the software are those that are affected. The major difference between the Symantec corporate and home use anti-virus clients is their ability to be managed by a centralized server. From the server environment one can initiate any number of tasks - including a remote installation of the client, remote scans, etc. IIRC this functionality is accomplished through connection to a listening port on the client machine. This would fit the theory of what it is that is so different and that a user needs to do absolutely nothing but have the machine on a network with the Symantec service running. 2. The current CNN coverage located here (http://www.cnn.com/2006/TECH/internet/05/25/antiv irus.flaw.ap/index.html) indicates that home use editions of the software are not affected, "though consumers who are provided Symantec's corporate edition antivirus software by their employers for use at home may be affected." Many of these same users are also granted secure access to remote servers behind their companies' firewalls...
3. This is a major concern because it means that we're not looking at a situation of massive numbers of zombie bots that are all deployed to do some low level inane task like e-mailing tons of spam to people. It means that the firewalls of the various institutions of power, privilege and profit around the globe who have purchased Symantec's products become functionally useless as employees head home to plug into their non-firewalled-my-cousin-set-it-up-for-me cable or DSL connection at home. It also means that any confidential data stored on those remote machines is more likely to theft. Consider the recent stories in the U.S. media of the theft of a laptop containing thousands of citizens social security numbers. Now magnify that situation by imagining that everyone with access to confidential data on a laptop running Symantec place the laptop on the front porch of their home each night.
It will be interesting to see how Symantec handles this. I am hopeful that a LiveUpdate can correct the situation and will be looking into turning off the remote management features on the client machines I manage as a precaution. I don't know that there's a link, but it seems like a fairly plausible source of exploit that is clearly delineated from the home version...
2.
If you're a Symantec employee (and you agree) post anonymously under this thread. Just so you know I really am a Symantec employee, let me ask you this: how many "strongly disgrees" did YOU put on the SymPulse survey? Wouldn't it be great if our company actually payed any attention at all to that survey and decided to put the technology first? Guess we'd have to change our name to Sun then.
Symantec has putting out terrible products for years now. In addition to totally devastating the products it buys, it also makes them nearly impossible to remove. I have had to forcefully remove Norton products from many of my clients' systems by using the "forced removal" tools that Symantec provides. Now, I don't know if it's just me, but isn't that a bad sign when a company provides tools (even though the tools are buried in their corporate site) to remove their own products because the product's own uninstall routines fail miserably so often?
I normally recommend something along the lines of AVG or Avast! to customers after that little experience. People normally learn after their wallet gets hit a few good times for computer repair.
Your email has been returned due to insufficent voltage.
They should call it "Norton Network Security", since it seems to block most local traffic also. My big question is whether I should wait until the subscription expires before unistalling it, or rip it out now to save on future headaches.
What?