Slashdot Mirror
Symantec AntiVirus Hole Found
Hotwater Mountain writes "eWeek has a story about a gaping security flaw in the latest versions of Symantec's anti-virus software suite that could put millions of users at risk of a debilitating worm attack. According to eEye Digital Security, the company that discovered the flaw, the vulnerability could be exploited by remote hackers to take complete control of the target machine 'without any user action.'"
(ouch, that was a little harsh)
Is it server-side or client-side? Is it push or pull?
If it affects the install on the clients, but needs to get access to them, I wave my paw and say "bah."
If, on the other hand, it can attack the server...
Well, then again, everything should be behind a firewall anyway, with only needed ports forwarded.
I mean that's just common sense...
if the answer isn't violence, neither is your silence / freedom of expression doesn't make it alright
How a company could fsk itself more or harder. First the totally bogas licensing restriction of Ghost, the last good product they made, and now this. Sad.
"Eve of Destruction", it's not just for old hippies anymore...
Protect your computer! Remove your virus scanner! .. hang on.. :) Very sloppy.. It's like the firebrigade trying to save your house with flamethrowers.
They are just calling it an exploit just so they dont get into trouble ;)
That the Antivirus people are the ones putting the virus's out there to keep their businesses running
*grabs tinfoil hat*
Can't we all just get along
OK that leaves about every question unanswered.
At least give us a little bit on how this vulnerability could be exploited other than: This flaw does not require any end user interactionThrow me a friggin bone here! I'm the user... Need the info...
I suppose the important part is they got the scoop!
I'm not a Symantec fanboy but Symantec Antivirus (SAV) - the enterprise version - is pretty lean. As for Norton Antivirus or whatever they call it now...I couldn't agree more with your estimation of its bloatedness.
Question 1: Are norton Consumer level products (Norton/symantec Antivirus 2006 for example) in this list.
Question 2: Where does this security vulnerability lie? In the scanning engine or in the GUI appliation wrapper or helper dll. This could let us know if the Symantec Antivirus 9 -> 1 are bad.
Im holding Slashdot to a Slashback on this as this unfolds.
BTW, any takers on the ammount of time till patch. Clock starts now.
Procrastinating life a way at a rapid rate of speed.
Coverage on http://www.cnn.com/2006/TECH/internet/05/25/antivi rus.flaw.ap/index.html CNN notes that it appears only the corporate version is affected.
"eEye said it appeared consumer versions of Symantec's Norton Antivirus software -- sold at retail outlets around the country -- were not vulnerable to the flaw, though consumers who are provided Symantec's corporate edition antivirus software by their employers for use at home may be affected."
startkeylogger
I've never seen a program cause as many problems as some of these name brand anti-virus programs.. they're worse than having the viruses!!! and they add extra complexity that gives attackers more possibilities for exploitation.
... I'm saying stuff that everybody already knew... but nobody cared enough to nuke that company for the good of the world.
Keep your patches up to date, or don't connect to the internet...
Don't open ANY freaking attachments, unless you expect it, and you know where it came from... or don't connect to the network.
My mom's computer has their security suite? set up on it... it basically just nags her when programs try to do anything... it's nice that it warns about Real Player's nasties... but we all know to unistall that basterd and just use the codec...
Please use [ informative / summarizing ] SUBJECT LINES
Flame me here
Great, so lets just advertise that it's vulnerable instead of fixing it! How many h4x0rz are going to try to 'sploit this now as opposed to before for a quick ego trip?
I had a bit of a problem a few years ago with SpyWare, first I Installed a IE plugin and then moved to FireFox.
These 'Security' behemoths are insane. They hog 20%+ of computer resources with their 'real time scanning'. The only time anything needs to be scanned is when it's first comming to your computer. Downloads need to be scanned, that's it! If I download something questionable, I'll run it through Trend Micro online scan before running.
Daily backups are the key. And not Whole Fucking Hard Drive Backups like most insane backup programs want to do. Backup your damn documents and data.
Firefox and a little common sense and this whole virus/spyware thing is just not an issue for me. I haven't run SpyBot/AdAware since last year. I occasionally scan my download folder with TM Online.
Recent history:
Does anyone else feel that this time line suggests that the last item or two might be part of a hidden agenda? Are we witnessing the start of a FUD throwing contest between two of the industry's major players?
I am so confused. What web news publishers should I now put my faith in?
My company has invested in Symantec Antivirus Corporate Edition, and while I do like the centralized management features and the Symantec Antivirus Client's unobtrusive nature, these exploits (and there have been several for version 10 alone) are getting ridiculous. With antivirus on the gateway catching 99.9% of the incoming viruses, and account restrictions for users preventing them from doing any real damage if they do get infected, it seems like Symantec Antivirus serves more as a vector of virus and worm attacks than a layer of protection against them. The fact that we pay thousands of dollars a year for the privilege makes it that much worse.
Has anyone deployed something other than Symantec Antivirus in a 250 PC company? If so, I'd like to hear your experiences.
I'm getting tired, keep up with all these holes that need to get fixed to save my employment of a basic pay cheque.
We need to fix root cause of the problem. Not restore service, but fix it.
It's time to tackle this problem at the compiler level. Get rid of the various IDE wizards, where the latest summer student can spend 5 minutes building a so called enterprise class application.
Instead of the next dual core processor, maybe the industry could spend some time on software and get it right.
probably found their own exploit. :P
My NAV is using a total of 9Mb RAM on my system as I type. It's always been more reliable in catching viruses than AVG, too.
What's this? Another weblog? On transit?
http://www.symantec.com/avcenter/security/Content/ 2006.05.25.html
Pure, unadulterated BS. I've used both and Nortons absolutely sucks compared to AVG. With Norton's my computer got so badly infected that I had to reinstall the OS two different times. Installed AVG and never had that problem again. Did I download anything that had the virus in it? No! Both times the viruses downlaoded themselves straight into my computer from the internet -- which means Norton's firewall didn't do anything to stop them. On top of this, one time I uninstalled it in order to reinstall it and I couldn't boot Windows afterward.
Nevertheless, I think Avast! is the best antivirus, but I've heard a great deal of good aobut NOD32 and Kaspersky's. Any of them beat Norton's. Hell, as bad as Norton's can screw up your computer no antivirus is sometimes better. I don't know how many times I had to reinstall it because it started screwing up or just didn't install right in the first place. All of that applies equally to McAffee too.
I don't know what the deal is here with you and whoever is modding anything critical of Symantec as "flamebait" and your BS as insightful, but you can't quit with the outright lying. You've both made yourselves as transparent as freshly-cleaned glass. Normally, I'd think someone who made such an accusation was paranoid, but that's how blindlingly obvious you guys have been. And the thread is still young. Too bad the people running this site aren't involved enough to care anymore.
I dream of a better world... one in which chickens can cross roads without their motives being questioned.
I don't know why you think eEye has such close ties to MS. They have been embarrassing and exploiting the hell out of MS for years. They drive MS crazy by releasing powerful exploit code and giving conference presentations such as "Remote Windows Kernel Exploitation" (BlackHat 2005). I like these guys a lot :).
-Fyodor (Insecure.Org)
Avast!
AVG Anti-Virus
How the exploit functions (a loose theory) 1. It is widely accepted that the Corporate versions of the software are those that are affected. The major difference between the Symantec corporate and home use anti-virus clients is their ability to be managed by a centralized server. From the server environment one can initiate any number of tasks - including a remote installation of the client, remote scans, etc. IIRC this functionality is accomplished through connection to a listening port on the client machine. This would fit the theory of what it is that is so different and that a user needs to do absolutely nothing but have the machine on a network with the Symantec service running. 2. The current CNN coverage located here (http://www.cnn.com/2006/TECH/internet/05/25/antiv irus.flaw.ap/index.html) indicates that home use editions of the software are not affected, "though consumers who are provided Symantec's corporate edition antivirus software by their employers for use at home may be affected." Many of these same users are also granted secure access to remote servers behind their companies' firewalls...
3. This is a major concern because it means that we're not looking at a situation of massive numbers of zombie bots that are all deployed to do some low level inane task like e-mailing tons of spam to people. It means that the firewalls of the various institutions of power, privilege and profit around the globe who have purchased Symantec's products become functionally useless as employees head home to plug into their non-firewalled-my-cousin-set-it-up-for-me cable or DSL connection at home. It also means that any confidential data stored on those remote machines is more likely to theft. Consider the recent stories in the U.S. media of the theft of a laptop containing thousands of citizens social security numbers. Now magnify that situation by imagining that everyone with access to confidential data on a laptop running Symantec place the laptop on the front porch of their home each night.
It will be interesting to see how Symantec handles this. I am hopeful that a LiveUpdate can correct the situation and will be looking into turning off the remote management features on the client machines I manage as a precaution. I don't know that there's a link, but it seems like a fairly plausible source of exploit that is clearly delineated from the home version...
2.
reason not to do business with them: When I found out that the consumer versions couldn't even uninstall *themselves* cleanly, I reasoned there was no way they'd be able to remove anything else...
So, how *do* they manage to stay in business with such a large share of the security market?
(bustling off to buy put options...)
Take the 90-Day Challenge! http://rwmurker.bodybyvi.com/
If you're a Symantec employee (and you agree) post anonymously under this thread. Just so you know I really am a Symantec employee, let me ask you this: how many "strongly disgrees" did YOU put on the SymPulse survey? Wouldn't it be great if our company actually payed any attention at all to that survey and decided to put the technology first? Guess we'd have to change our name to Sun then.
Now I'm happy that my Windows is safe inside vmware and running only twice a month using Linux as host and firewall :)
Pixel image editor - http://www.kanzelsberger.com
Until people like you learn how to code.
Sadly, morons who can't figure out how to check buffer length and pointer cromulence is what the industry really has to 'put up with'.
Well, in our case we tried hard to replace symantec's enterprise av, but nothing could fit our network as well. The main selling point is that the SAV console works for us. We have 100s of sites across the country on every imaginable type of connection, and each and every other AV "enterprise" suite fell on its face -- except Symantec's. We really, REALLY, wanted trendmicro's officescan product to work. It is, by far (IMO), one of the best admin-centric AV tools out there, but it, too, could not handle our disparate network.
There's more to AV than your home computer. Managing 1000s of machines across the country takes more than the tinyest AV program you can stick on one computer. Our needs are first and foremost having an AV install on each system, with good virus defs, and that we can actually manage remotely. SAV is still the best for that in our opinion....
"All great things are simple & expressed in a single word: freedom, justice, honor, duty, mercy, hope." --Churchill
All they have to do is rebrand their anti-virus product "PC Anywhere SE".
Rich And Stupid is not so bad as Working For Rich And Stupid.
This gaping hole is intentional, but it wasn't suppose to be released yet. That was a mistake. It's a new Symantec Anti-Virus feature called "Wide Open Front Door". WOFD opens up many large security holes in your system, with the intention of confusing attackers - when a potential attacker finds a system with so many massive, gaping security flaws, they figure their must not be anything interesting inside because if there were the system would certainly be locked down tight. The potential attacker will figure it's not worth the trouble and attack some other system instead.
--- What?
Symantec has putting out terrible products for years now. In addition to totally devastating the products it buys, it also makes them nearly impossible to remove. I have had to forcefully remove Norton products from many of my clients' systems by using the "forced removal" tools that Symantec provides. Now, I don't know if it's just me, but isn't that a bad sign when a company provides tools (even though the tools are buried in their corporate site) to remove their own products because the product's own uninstall routines fail miserably so often?
I normally recommend something along the lines of AVG or Avast! to customers after that little experience. People normally learn after their wallet gets hit a few good times for computer repair.
Your email has been returned due to insufficent voltage.
That is so ironic it's almost surreal.
That's like making an operating system that causes a computer not to operate.
Oh, wait...
The difference between the home and enterprise version of Norton are absolutely huge. One sucks, one seems to work fairly well. The home version is awful. I mean really, I don't think I could possibly design a worse product. What genius decided that massive dependencies on Internet Explorer is a good idea for an antivirus program. Internet Explorer and related components are usually the ones raped in virus and malware attacks. IE breaks, and the interface to NIS breaks. Brilliant!
Can't uninstall in safe mode. Uninstall works so poorly they even release a standalone uninstaller, which in my experience is necessary almost 50% of the time for broken Norton installs.
The silent breakage. NIS is absolutely famous for this. I get clients call with the broken net access, sluggish response, programs not running correctly, scripting engines not working under IE despite being enabled, etc. Malware, virus, spyware? Nope. It's NIS. I can't count the number of quirky problems fixed simply by uninstalling NIS. It's generally a first step for me anymore.
Learning firewalls are totally pointless for home users. The typical home user can barely check email, and clicks OK to every web-popup. Do you really think they are up to allowing/denying outoing port traffic? Even in the corporate environment, you should never trust a user to make decisions like that. It's not their job. If you're an admin, they pay YOU to do that.
And no NAV, I don't give rats ass unless you actually find an infection. Take your little balloon popups and shove them. If you don't have anything valid to say, leave me the hell alone. All of the major AV programs these days are pretty much adware. "hey look at us, we're working. You paid for us and we're doing something, yeah!". Damn attention whores.