Slashdot Mirror

← Back to Stories (view on slashdot.org)

Symantec AntiVirus Hole Found

Posted by ryuzaki0 on from the safer-than-sorry dept.

Hotwater Mountain writes "eWeek has a story about a gaping security flaw in the latest versions of Symantec's anti-virus software suite that could put millions of users at risk of a debilitating worm attack. According to eEye Digital Security, the company that discovered the flaw, the vulnerability could be exploited by remote hackers to take complete control of the target machine 'without any user action.'"

37 of 241 comments (clear)

  1. That saves time! by bunbuntheminilop · · Score: 5, Funny
    Symantic will only have to make viruses for its own programs!

    (ouch, that was a little harsh)

    1. Re:That saves time! by thc69 · · Score: 4, Funny
      Pardon my grammar naziesque intrusion, but...sometimes funky grammar is merely a minor annoyance, and other times, it has quite an effect on readability.

      For example, when I read "could suck money out of an Enron Execs. hand!", I thought you meant that they could suck money out of Enron executives, and just had a gratuitous "an" shoved in there (or accidentally pluralized "Exec"); and I couldn't understand the seemingly misplaced exclamation "hand!" So, I read it as follows:
      "...could suck money out of an Enron executive.

      Hand!"

      This thoroughly confused me. It took me way too long to determine that you were attempting to properly abbreviate the word "executive" while also making it posessive. While probably not more gramatically correct, a clearer way to write it would be:
      "...could suck money out of an Enron exec's hand!"

      Now, if I thought it took a long time to figure out what you meant, imagine how much time I've wasted writing this!

      ObSymantec: I try to discourage people from using Symantec products. In my ~14 years experience with their stuff, I've found that their antivirus is expensive, slows the computer down way too much, and is no more effective than any other; and I've also found that their other utilities tend to be mostly snake oil. It wasn't always that way -- DOS and even Windows 3.1 versions of Norton Utilities were actually useful _and_ unique. Since the program that gazillions of folks use to secure their machine is opening holes, maybe it's time for everybody to move on.

      Oh yeah, and...

      Hand!
      --
      Procrastination -- because good things come to those who wait.
  2. Details? by SomeGuyFromCA · · Score: 5, Insightful

    Is it server-side or client-side? Is it push or pull?

    If it affects the install on the clients, but needs to get access to them, I wave my paw and say "bah."

    If, on the other hand, it can attack the server...

    Well, then again, everything should be behind a firewall anyway, with only needed ports forwarded.

    I mean that's just common sense...

    --
    if the answer isn't violence, neither is your silence / freedom of expression doesn't make it alright
    1. Re:Details? by neil.orourke · · Score: 5, Informative

      http://www.smh.com.au/ had a writeup about this which said that Norton Internet Security guarded against this flaw in Norton AntiVirus. Go figure on the implications of that.

    2. Re:Details? by cp.tar · · Score: 4, Funny

      OK, let me try:

      • First they sell you an antivirus to protect you against viruses and other malicious code.
      • Then they sell you a security package which will protect you against malicious code which the antivirus cannot detect. Or which attacks the antivirus itself.
      • Soon they'll sell you an additional package which will make sure nothing gets past the security package.
      • And another one to keep all those in check.
      • Therefore, soon enough no code will be able to execute because all the CPU cycles will be reserved for Symantec security.

      Perfect security - and the Quis custodet ipsos custodes? problem solved. Rather neat...

      --
      Ignore this signature. By order.
    3. Re:Details? by Jesus_666 · · Score: 5, Funny

      Norton Antivirus offers perfect security. Just leave it installed on a home user PC for long enough. Sooner or later the system will shut down in an unclean fashion, which NAV will take as a reason to hang at startup, taking the NIC with it.

      Bang - no NIC, no malicious traffic from the internet.

      --
      USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
    4. Re:Details? by Fred_A · · Score: 4, Funny
      Therefore, soon enough no code will be able to execute because all the CPU cycles will be reserved for Symantec security.

      I thought everybody agreed that this was the purpose of dual core CPUs for Windows machines. One to run the bundled Norton crud, one to run the apps.

      Of course some people follow the advice of their more enlightened friends/neighbours/family and switch to other products or other systems.

      (note: this does not apply to corporate networks unless they are handled by idiots. Um. Doesn't apply to *all* corporate networks.)
      --

      May contain traces of nut.
      Made from the freshest electrons.
    5. Re:Details? by Anonymous Coward · · Score: 5, Funny

      From all the installations I've had to fix, I believe that by "Norton Internet Security" what they really mean is that "it protects the internet from YOU".

  3. Good news, everyone! by christopherfinke · · Score: 5, Funny
    "This is definitely wormable. Once exploited, you get a command shell that gives you complete access to the machine."
    Well that's a relief. Who would ever want to use the Windows shell? I'd call that security through, uh, suckurity.
    1. Re:Good news, everyone! by gbobeck · · Score: 5, Funny
      I'd call that security through, uh, suckurity.


      Toss in the complete inability to hack that most script kiddies have... and now you also have security through stupidity.

      I always loved watching my snort logs when some kiddie attempted to 0wn my FreeBSD server running Zope/Plone + Apache by tossing every IIS 5 attack they have a script for.
      --
      Navicula hydraulica plena anguilarum est. Omnes castelli tuus nostri sunt. Ed elli avea del cul fatto trombetta.
  4. So people have discovered Nortons DRM Rootkit? by oztiks · · Score: 5, Funny

    They are just calling it an exploit just so they dont get into trouble ;)

  5. Who has heard that conspiracy theory by Sentri · · Score: 5, Funny

    That the Antivirus people are the ones putting the virus's out there to keep their businesses running

    *grabs tinfoil hat*

    --
    Can't we all just get along
  6. Throw me a friggin bone! by BarryLoper · · Score: 5, Insightful

    OK that leaves about every question unanswered.

    At least give us a little bit on how this vulnerability could be exploited other than: This flaw does not require any end user interaction
    • Do I have to browse to a malicious website?
    • Do I have to download an infected file for it to scan?
    • Does it somehow come in on Live Update?
    • What if I have a firewall?

    Throw me a friggin bone here! I'm the user... Need the info...

    I suppose the important part is they got the scoop!

    1. Re:Throw me a friggin bone! by skiflyer · · Score: 4, Informative

      I didn't read this link, but I read it on CNN, and to answer your first two questions no... they very specifically said the real concern here is that a user can be attacked without doing anything.

      As far as #3, the hows were unaddressed.

      #4, it seems that at least several firewall packages block it just fine... but there was no discussion as to whether or not it was something special about the packages mentioned, or if it's just blocking some specific port that makes you safe.

    2. Re:Throw me a friggin bone! by LordFolken · · Score: 3, Interesting

      The advisory is rather bleak at the moment, so following is pure speculation:

      Past exploits in software firewalls where issues in the packet inspection engine. The engine packs itself infront of the tcpip stack of windows and inspects _every_ packet that goes in or out, regardless of wheter it connects to some port or not. This is done in order to log the packet and to reassure the user with annoying popups that his investment was worth his money.

      Back to antivirus: This thing also scans email. It does this by scanning the traffic on pop3 and imap ports. My suspicion is that it does this regardless of the connection state. E.g. if you send packets from port 110 to the target machine it probably inspects them, even if the target machine isn't currently downloading any email. Again: this is speculation on my part.

      To answer the parent's questions:

      If the above is the case:

      - Do I have to browse to a malicious website?
      Probably not.

      - Do I have to download an infected file for it to scan?
      It's possible that the worm also works when an email is scanned. So if you recieve an email that has such a virus attached your machine would be also infected even if you'd use a hardware firewall.

      - Does it somehow come in on Live Update?
      Unlikley. You'd have to do a man in the middle attack for that. E.g. capture the users dns traffic or route his traffic through the mitm. Both rather unlikley in an Internet scenario unless you have a _really_ lousy provider.

      - What if I have a firewall?
      In a connection-state tracking software firewall it would matter in what comes first: the antivirus or the firewall. A hardware firewall would protect you better as it comes first in any case, but it wouldn't protect you from an exploit that travels from your e-mail account to your machine.

      IMO symantec products all suffer from bloat:
        - Way too many features, no average user can comprehend. (and i have a suspicion that the devlopers don't either.)
        - The install base from the complete package is probably above 100MB. I think a firewall and
      antivirus should be doable in a fraction of that. (excluding signature files)
        - They slow the systems they are installed to to a crawl.
        - I get 5+ support calls a day that deal with broken symantec products. (e-mail and internet related.)

      Please use FreeAVG, AntiVir or learn how to use ClamAV!

      Better yet: install FOSS software like i have done years ago, and get rid of _all_ these problems in an instant.

  7. Older Versions? by tecker · · Score: 3, Insightful
    I noted that the eEye details point out this:
    Symantec Antivirus 10.x
    Symantec Client Security 3.x
    (Other Symantec Antivirus products are also potentially affected, waiting for vendor list)


    Question 1: Are norton Consumer level products (Norton/symantec Antivirus 2006 for example) in this list.

    Question 2: Where does this security vulnerability lie? In the scanning engine or in the GUI appliation wrapper or helper dll. This could let us know if the Symantec Antivirus 9 -> 1 are bad.

    Im holding Slashdot to a Slashback on this as this unfolds.

    BTW, any takers on the ammount of time till patch. Clock starts now.
    --
    Procrastinating life a way at a rapid rate of speed.
  8. Re:No wai- by B3ryllium · · Score: 4, Funny

    Well, they do say that you should fight fire with fire ...

  9. Consumer versions not affected by Anonymous Coward · · Score: 5, Informative

    Coverage on http://www.cnn.com/2006/TECH/internet/05/25/antivi rus.flaw.ap/index.html CNN notes that it appears only the corporate version is affected.

    "eEye said it appeared consumer versions of Symantec's Norton Antivirus software -- sold at retail outlets around the country -- were not vulnerable to the flaw, though consumers who are provided Symantec's corporate edition antivirus software by their employers for use at home may be affected."

  10. startkeylogger by DrunkenTerror · · Score: 4, Funny

    startkeylogger

  11. Re:It's hard to imagine.... by Anonymous Coward · · Score: 5, Insightful

    Symantec hasn't actually ever made a good product. They BUY good products and then drive them into the ground. Ghost was just the last of the Norton suite of products that they got arround to breaking.

    Actually as far as I can tell Symantec hasn't actually ever made a product at all. I'm sure they must have once, how else did they ever get the money to buy Norton in the first place (venture capital I guess), but every Symantec product I can think of was originally aquired from someone else.

    I'd find it very hard to imagine a company that has done nothing but destroy every piece of intelectual property it aquires and continues to make money. Unfortunately I've seen it...

  12. Re:No wai- by Nefarious+Wheel · · Score: 3, Funny
    Dunno, I find that the cold proc of Blade of Walnan works better for fire elementals in Nadox than Fist of Ixiblat, which is a fire proc.

    Oh, wait...

    --
    Do not mock my vision of impractical footwear
  13. DUH! we've been calling it Norton Virus for years! by aaron_pet · · Score: 5, Insightful

    I've never seen a program cause as many problems as some of these name brand anti-virus programs.. they're worse than having the viruses!!! and they add extra complexity that gives attackers more possibilities for exploitation.

    Keep your patches up to date, or don't connect to the internet...
    Don't open ANY freaking attachments, unless you expect it, and you know where it came from... or don't connect to the network.

    My mom's computer has their security suite? set up on it... it basically just nags her when programs try to do anything... it's nice that it warns about Real Player's nasties... but we all know to unistall that basterd and just use the codec... ... I'm saying stuff that everybody already knew... but nobody cared enough to nuke that company for the good of the world.

    --
    Please use [ informative / summarizing ] SUBJECT LINES
    Flame me here
  14. no proof of concept yet? by themysteryman73 · · Score: 3, Insightful
    "there are no publicly shared proof-of-concept exploits or other information to suggest an attack is imminent"

    Great, so lets just advertise that it's vulnerable instead of fixing it! How many h4x0rz are going to try to 'sploit this now as opposed to before for a quick ego trip?

  15. tit for tat? by mysticgoat · · Score: 3, Interesting

    Recent history:

    1. Symantic files suit against Microsoft with some kind of anticompetitive or abuse of license beef involving Vista.
    2. A day or so later, Symantic announces a zero-day exploit of Word. The malware in the Word document drops the ginwui worm that opens a backdoor and uses rootkit technology to hide itself and its activities. Symantic says that some companies have been victimized by this perhaps for months.
    3. And now a day or so later, a company with close ties to Microsoft announces that a major Symantic product contains a massive security flaw.

    Does anyone else feel that this time line suggests that the last item or two might be part of a hidden agenda? Are we witnessing the start of a FUD throwing contest between two of the industry's major players?

    I am so confused. What web news publishers should I now put my faith in?

  16. Alternatives to Symantec Antivirus? by Anonymous Coward · · Score: 5, Interesting

    My company has invested in Symantec Antivirus Corporate Edition, and while I do like the centralized management features and the Symantec Antivirus Client's unobtrusive nature, these exploits (and there have been several for version 10 alone) are getting ridiculous. With antivirus on the gateway catching 99.9% of the incoming viruses, and account restrictions for users preventing them from doing any real damage if they do get infected, it seems like Symantec Antivirus serves more as a vector of virus and worm attacks than a layer of protection against them. The fact that we pay thousands of dollars a year for the privilege makes it that much worse.

    Has anyone deployed something other than Symantec Antivirus in a 250 PC company? If so, I'd like to hear your experiences.

    1. Re:Alternatives to Symantec Antivirus? by Splab · · Score: 3, Insightful

      Sophos is probably one of the most annoying AV programs I've tried. For some insane reason it has to do it's virus scans each day - and during work hours. You cant dismiss it and it keeps getting focus from windows, that means during the 3-5 minuttes it's scanning I can't do anything.

      (This is on a corporate network, I haven't got anything to do with how/why it's running )

  17. Re:It depends by MillionthMonkey · · Score: 4, Interesting

    I work at a big stupid company that has a site license for Rational Clearcase, a totally retarded product we are forced to use by upper management. Fortunately, SAV 10 is incompatible with the Clearcase Windows client- it diagnoses it as malware and attempts to remove the "infection". So we cannot upgrade from SAV 9. When they were doing the automated rollouts a few days ago, we had to send our machine names to the CC administrator to prevent the upgrade process from installing SAV 10 on our machines.

    So now we don't have to worry about this security hole, which means we can finally say that something good came out of using Rational Clearcase.

  18. idiots by chiseen · · Score: 3, Funny

    probably found their own exploit. :P

  19. Re:what a joke they are by Mistshadow2k4 · · Score: 3, Insightful

    Pure, unadulterated BS. I've used both and Nortons absolutely sucks compared to AVG. With Norton's my computer got so badly infected that I had to reinstall the OS two different times. Installed AVG and never had that problem again. Did I download anything that had the virus in it? No! Both times the viruses downlaoded themselves straight into my computer from the internet -- which means Norton's firewall didn't do anything to stop them. On top of this, one time I uninstalled it in order to reinstall it and I couldn't boot Windows afterward.

    Nevertheless, I think Avast! is the best antivirus, but I've heard a great deal of good aobut NOD32 and Kaspersky's. Any of them beat Norton's. Hell, as bad as Norton's can screw up your computer no antivirus is sometimes better. I don't know how many times I had to reinstall it because it started screwing up or just didn't install right in the first place. All of that applies equally to McAffee too.

    I don't know what the deal is here with you and whoever is modding anything critical of Symantec as "flamebait" and your BS as insightful, but you can't quit with the outright lying. You've both made yourselves as transparent as freshly-cleaned glass. Normally, I'd think someone who made such an accusation was paranoid, but that's how blindlingly obvious you guys have been. And the thread is still young. Too bad the people running this site aren't involved enough to care anymore.

    --
    I dream of a better world... one in which chickens can cross roads without their motives being questioned.
  20. eEye close to MS? by fv · · Score: 4, Informative

    I don't know why you think eEye has such close ties to MS. They have been embarrassing and exploiting the hell out of MS for years. They drive MS crazy by releasing powerful exploit code and giving conference presentations such as "Remote Windows Kernel Exploitation" (BlackHat 2005). I like these guys a lot :).

    -Fyodor (Insecure.Org)

  21. Free alternatives to Symantec Antivirus by mlow82 · · Score: 3, Interesting

    Avast!
    AVG Anti-Virus

  22. The Hows: A well reasoned theory and some impacts by allroy63 · · Score: 4, Interesting

    How the exploit functions (a loose theory) 1. It is widely accepted that the Corporate versions of the software are those that are affected. The major difference between the Symantec corporate and home use anti-virus clients is their ability to be managed by a centralized server. From the server environment one can initiate any number of tasks - including a remote installation of the client, remote scans, etc. IIRC this functionality is accomplished through connection to a listening port on the client machine. This would fit the theory of what it is that is so different and that a user needs to do absolutely nothing but have the machine on a network with the Symantec service running. 2. The current CNN coverage located here (http://www.cnn.com/2006/TECH/internet/05/25/antiv irus.flaw.ap/index.html) indicates that home use editions of the software are not affected, "though consumers who are provided Symantec's corporate edition antivirus software by their employers for use at home may be affected." Many of these same users are also granted secure access to remote servers behind their companies' firewalls... 3. This is a major concern because it means that we're not looking at a situation of massive numbers of zombie bots that are all deployed to do some low level inane task like e-mailing tons of spam to people. It means that the firewalls of the various institutions of power, privilege and profit around the globe who have purchased Symantec's products become functionally useless as employees head home to plug into their non-firewalled-my-cousin-set-it-up-for-me cable or DSL connection at home. It also means that any confidential data stored on those remote machines is more likely to theft. Consider the recent stories in the U.S. media of the theft of a laptop containing thousands of citizens social security numbers. Now magnify that situation by imagining that everyone with access to confidential data on a laptop running Symantec place the laptop on the front porch of their home each night. It will be interesting to see how Symantec handles this. I am hopeful that a LiveUpdate can correct the situation and will be looking into turning off the remote management features on the client machines I manage as a precaution. I don't know that there's a link, but it seems like a fairly plausible source of exploit that is clearly delineated from the home version... 2.

  23. Re:It's hard to imagine.... by bm5k · · Score: 4, Insightful

    I'd find it very hard to imagine a company that has done nothing but destroy every piece of intelectual property it aquires and continues to make money.

    Why? AOL's been doing it for YEARS. Remember ICQ? Winamp? Need I say more?

  24. Re:what a joke they are by Himring · · Score: 4, Insightful

    Well, in our case we tried hard to replace symantec's enterprise av, but nothing could fit our network as well. The main selling point is that the SAV console works for us. We have 100s of sites across the country on every imaginable type of connection, and each and every other AV "enterprise" suite fell on its face -- except Symantec's. We really, REALLY, wanted trendmicro's officescan product to work. It is, by far (IMO), one of the best admin-centric AV tools out there, but it, too, could not handle our disparate network.

    There's more to AV than your home computer. Managing 1000s of machines across the country takes more than the tinyest AV program you can stick on one computer. Our needs are first and foremost having an AV install on each system, with good virus defs, and that we can actually manage remotely. SAV is still the best for that in our opinion....

    --
    "All great things are simple & expressed in a single word: freedom, justice, honor, duty, mercy, hope." --Churchill
  25. But if they want to save development cycles... by Dystopian+Rebel · · Score: 5, Funny

    All they have to do is rebrand their anti-virus product "PC Anywhere SE".

    --
    Rich And Stupid is not so bad as Working For Rich And Stupid.
  26. Unitentional release of new feature by sjonke · · Score: 3, Funny

    This gaping hole is intentional, but it wasn't suppose to be released yet. That was a mistake. It's a new Symantec Anti-Virus feature called "Wide Open Front Door". WOFD opens up many large security holes in your system, with the intention of confusing attackers - when a potential attacker finds a system with so many massive, gaping security flaws, they figure their must not be anything interesting inside because if there were the system would certainly be locked down tight. The potential attacker will figure it's not worth the trouble and attack some other system instead.

    --
    --- What?
  27. Nothing suprising about this "development" by hausmaus · · Score: 4, Interesting

    Symantec has putting out terrible products for years now. In addition to totally devastating the products it buys, it also makes them nearly impossible to remove. I have had to forcefully remove Norton products from many of my clients' systems by using the "forced removal" tools that Symantec provides. Now, I don't know if it's just me, but isn't that a bad sign when a company provides tools (even though the tools are buried in their corporate site) to remove their own products because the product's own uninstall routines fail miserably so often?

    I normally recommend something along the lines of AVG or Avast! to customers after that little experience. People normally learn after their wallet gets hit a few good times for computer repair.

    --
    Your email has been returned due to insufficent voltage.