Symantec AntiVirus Hole Found

Hotwater Mountain writes "eWeek has a story about a gaping security flaw in the latest versions of Symantec's anti-virus software suite that could put millions of users at risk of a debilitating worm attack. According to eEye Digital Security, the company that discovered the flaw, the vulnerability could be exploited by remote hackers to take complete control of the target machine 'without any user action.'"

That saves time!

[bunbuntheminilop]

Symantic will only have to make viruses for its own programs!

(ouch, that was a little harsh)

Re:That saves time!

[thc69]

Pardon my grammar naziesque intrusion, but...sometimes funky grammar is merely a minor annoyance, and other times, it has quite an effect on readability.

For example, when I read "could suck money out of an Enron Execs. hand!", I thought you meant that they could suck money out of Enron executives, and just had a gratuitous "an" shoved in there (or accidentally pluralized "Exec"); and I couldn't understand the seemingly misplaced exclamation "hand!" So, I read it as follows:

"...could suck money out of an Enron executive.

Hand!"

This thoroughly confused me. It took me way too long to determine that you were attempting to properly abbreviate the word "executive" while also making it posessive. While probably not more gramatically correct, a clearer way to write it would be:

"...could suck money out of an Enron exec's hand!"

Now, if I thought it took a long time to figure out what you meant, imagine how much time I've wasted writing this!

ObSymantec: I try to discourage people from using Symantec products. In my ~14 years experience with their stuff, I've found that their antivirus is expensive, slows the computer down way too much, and is no more effective than any other; and I've also found that their other utilities tend to be mostly snake oil. It wasn't always that way -- DOS and even Windows 3.1 versions of Norton Utilities were actually useful _and_ unique. Since the program that gazillions of folks use to secure their machine is opening holes, maybe it's time for everybody to move on.

Oh yeah, and...

Hand!

Details?

[SomeGuyFromCA]

Is it server-side or client-side? Is it push or pull?

If it affects the install on the clients, but needs to get access to them, I wave my paw and say "bah."

If, on the other hand, it can attack the server...

Well, then again, everything should be behind a firewall anyway, with only needed ports forwarded.

I mean that's just common sense...

Re:Details?

[neil.orourke]

http://www.smh.com.au/ had a writeup about this which said that Norton Internet Security guarded against this flaw in Norton AntiVirus. Go figure on the implications of that.

Re:Details?

[cp.tar]

OK, let me try:

• First they sell you an antivirus to protect you against viruses and other malicious code.
• Then they sell you a security package which will protect you against malicious code which the antivirus cannot detect. Or which attacks the antivirus itself.
• Soon they'll sell you an additional package which will make sure nothing gets past the security package.
• And another one to keep all those in check.
• Therefore, soon enough no code will be able to execute because all the CPU cycles will be reserved for Symantec security.

Perfect security - and the Quis custodet ipsos custodes? problem solved. Rather neat...

Re:Details?

[Jesus_666]

Norton Antivirus offers perfect security. Just leave it installed on a home user PC for long enough. Sooner or later the system will shut down in an unclean fashion, which NAV will take as a reason to hang at startup, taking the NIC with it.

Bang - no NIC, no malicious traffic from the internet.

Re:Details?

[Fred_A]

Therefore, soon enough no code will be able to execute because all the CPU cycles will be reserved for Symantec security.

I thought everybody agreed that this was the purpose of dual core CPUs for Windows machines. One to run the bundled Norton crud, one to run the apps.

Of course some people follow the advice of their more enlightened friends/neighbours/family and switch to other products or other systems.

(note: this does not apply to corporate networks unless they are handled by idiots. Um. Doesn't apply to *all* corporate networks.)

Re:Details?

From all the installations I've had to fix, I believe that by "Norton Internet Security" what they really mean is that "it protects the internet from YOU".

Good news, everyone!

[christopherfinke]

"This is definitely wormable. Once exploited, you get a command shell that gives you complete access to the machine."

Well that's a relief. Who would ever want to use the Windows shell? I'd call that security through, uh, suckurity.

Re:Good news, everyone!

[gbobeck]

I'd call that security through, uh, suckurity.

Toss in the complete inability to hack that most script kiddies have... and now you also have security through stupidity.

I always loved watching my snort logs when some kiddie attempted to 0wn my FreeBSD server running Zope/Plone + Apache by tossing every IIS 5 attack they have a script for.

So people have discovered Nortons DRM Rootkit?

[oztiks]

They are just calling it an exploit just so they dont get into trouble ;)

Who has heard that conspiracy theory

[Sentri]

That the Antivirus people are the ones putting the virus's out there to keep their businesses running

*grabs tinfoil hat*

Throw me a friggin bone!

[BarryLoper]

OK that leaves about every question unanswered.

At least give us a little bit on how this vulnerability could be exploited other than: This flaw does not require any end user interaction

• Do I have to browse to a malicious website?
• Do I have to download an infected file for it to scan?
• Does it somehow come in on Live Update?
• What if I have a firewall?

Throw me a friggin bone here! I'm the user... Need the info...

I suppose the important part is they got the scoop!

Re:Throw me a friggin bone!

[skiflyer]

I didn't read this link, but I read it on CNN, and to answer your first two questions no... they very specifically said the real concern here is that a user can be attacked without doing anything.

As far as #3, the hows were unaddressed.

#4, it seems that at least several firewall packages block it just fine... but there was no discussion as to whether or not it was something special about the packages mentioned, or if it's just blocking some specific port that makes you safe.

Re:No wai-

[B3ryllium]

Well, they do say that you should fight fire with fire ...

Consumer versions not affected

Coverage on http://www.cnn.com/2006/TECH/internet/05/25/antivi rus.flaw.ap/index.html CNN notes that it appears only the corporate version is affected.

"eEye said it appeared consumer versions of Symantec's Norton Antivirus software -- sold at retail outlets around the country -- were not vulnerable to the flaw, though consumers who are provided Symantec's corporate edition antivirus software by their employers for use at home may be affected."

startkeylogger

[DrunkenTerror]

startkeylogger

Re:It's hard to imagine....

Symantec hasn't actually ever made a good product. They BUY good products and then drive them into the ground. Ghost was just the last of the Norton suite of products that they got arround to breaking.

Actually as far as I can tell Symantec hasn't actually ever made a product at all. I'm sure they must have once, how else did they ever get the money to buy Norton in the first place (venture capital I guess), but every Symantec product I can think of was originally aquired from someone else.

I'd find it very hard to imagine a company that has done nothing but destroy every piece of intelectual property it aquires and continues to make money. Unfortunately I've seen it...

DUH! we've been calling it Norton Virus for years!

[aaron_pet]

I've never seen a program cause as many problems as some of these name brand anti-virus programs.. they're worse than having the viruses!!! and they add extra complexity that gives attackers more possibilities for exploitation.

Keep your patches up to date, or don't connect to the internet...
Don't open ANY freaking attachments, unless you expect it, and you know where it came from... or don't connect to the network.

My mom's computer has their security suite? set up on it... it basically just nags her when programs try to do anything... it's nice that it warns about Real Player's nasties... but we all know to unistall that basterd and just use the codec... ... I'm saying stuff that everybody already knew... but nobody cared enough to nuke that company for the good of the world.

Alternatives to Symantec Antivirus?

My company has invested in Symantec Antivirus Corporate Edition, and while I do like the centralized management features and the Symantec Antivirus Client's unobtrusive nature, these exploits (and there have been several for version 10 alone) are getting ridiculous. With antivirus on the gateway catching 99.9% of the incoming viruses, and account restrictions for users preventing them from doing any real damage if they do get infected, it seems like Symantec Antivirus serves more as a vector of virus and worm attacks than a layer of protection against them. The fact that we pay thousands of dollars a year for the privilege makes it that much worse.

Has anyone deployed something other than Symantec Antivirus in a 250 PC company? If so, I'd like to hear your experiences.

Re:It depends

[MillionthMonkey]

I work at a big stupid company that has a site license for Rational Clearcase, a totally retarded product we are forced to use by upper management. Fortunately, SAV 10 is incompatible with the Clearcase Windows client- it diagnoses it as malware and attempts to remove the "infection". So we cannot upgrade from SAV 9. When they were doing the automated rollouts a few days ago, we had to send our machine names to the CC administrator to prevent the upgrade process from installing SAV 10 on our machines.

So now we don't have to worry about this security hole, which means we can finally say that something good came out of using Rational Clearcase.

eEye close to MS?

[fv]

I don't know why you think eEye has such close ties to MS. They have been embarrassing and exploiting the hell out of MS for years. They drive MS crazy by releasing powerful exploit code and giving conference presentations such as "Remote Windows Kernel Exploitation" (BlackHat 2005). I like these guys a lot :).

-Fyodor (Insecure.Org)

The Hows: A well reasoned theory and some impacts

[allroy63]

How the exploit functions (a loose theory) 1. It is widely accepted that the Corporate versions of the software are those that are affected. The major difference between the Symantec corporate and home use anti-virus clients is their ability to be managed by a centralized server. From the server environment one can initiate any number of tasks - including a remote installation of the client, remote scans, etc. IIRC this functionality is accomplished through connection to a listening port on the client machine. This would fit the theory of what it is that is so different and that a user needs to do absolutely nothing but have the machine on a network with the Symantec service running. 2. The current CNN coverage located here (http://www.cnn.com/2006/TECH/internet/05/25/antiv irus.flaw.ap/index.html) indicates that home use editions of the software are not affected, "though consumers who are provided Symantec's corporate edition antivirus software by their employers for use at home may be affected." Many of these same users are also granted secure access to remote servers behind their companies' firewalls... 3. This is a major concern because it means that we're not looking at a situation of massive numbers of zombie bots that are all deployed to do some low level inane task like e-mailing tons of spam to people. It means that the firewalls of the various institutions of power, privilege and profit around the globe who have purchased Symantec's products become functionally useless as employees head home to plug into their non-firewalled-my-cousin-set-it-up-for-me cable or DSL connection at home. It also means that any confidential data stored on those remote machines is more likely to theft. Consider the recent stories in the U.S. media of the theft of a laptop containing thousands of citizens social security numbers. Now magnify that situation by imagining that everyone with access to confidential data on a laptop running Symantec place the laptop on the front porch of their home each night. It will be interesting to see how Symantec handles this. I am hopeful that a LiveUpdate can correct the situation and will be looking into turning off the remote management features on the client machines I manage as a precaution. I don't know that there's a link, but it seems like a fairly plausible source of exploit that is clearly delineated from the home version... 2.

Re:It's hard to imagine....

[bm5k]

I'd find it very hard to imagine a company that has done nothing but destroy every piece of intelectual property it aquires and continues to make money.

Why? AOL's been doing it for YEARS. Remember ICQ? Winamp? Need I say more?

Re:what a joke they are

[Himring]

Well, in our case we tried hard to replace symantec's enterprise av, but nothing could fit our network as well. The main selling point is that the SAV console works for us. We have 100s of sites across the country on every imaginable type of connection, and each and every other AV "enterprise" suite fell on its face -- except Symantec's. We really, REALLY, wanted trendmicro's officescan product to work. It is, by far (IMO), one of the best admin-centric AV tools out there, but it, too, could not handle our disparate network.

There's more to AV than your home computer. Managing 1000s of machines across the country takes more than the tinyest AV program you can stick on one computer. Our needs are first and foremost having an AV install on each system, with good virus defs, and that we can actually manage remotely. SAV is still the best for that in our opinion....

But if they want to save development cycles...

[Dystopian+Rebel]

All they have to do is rebrand their anti-virus product "PC Anywhere SE".

Nothing suprising about this "development"

[hausmaus]

Symantec has putting out terrible products for years now. In addition to totally devastating the products it buys, it also makes them nearly impossible to remove. I have had to forcefully remove Norton products from many of my clients' systems by using the "forced removal" tools that Symantec provides. Now, I don't know if it's just me, but isn't that a bad sign when a company provides tools (even though the tools are buried in their corporate site) to remove their own products because the product's own uninstall routines fail miserably so often?

I normally recommend something along the lines of AVG or Avast! to customers after that little experience. People normally learn after their wallet gets hit a few good times for computer repair.