Slashdot Mirror
Symantec Posts Fix To Vulnerability
An anonymous reader writes "Just a few days after it was discovered, Symantec has posted a fix to a critical flaw with its Antivirus software." From the article: "The eEye digital security firm reported the problem initially, and discovered it was present in the newest versions of the affected Symantec products. Further research noted by Symantec described the problem as a flaw that made the products vulnerable to a stack overflow. Once exploited, that overflow could have permitted an attacker to execute code on the machine, with System level rights. The issue was made worse by being one that impacted enterprise-level customers, big spenders that purchase hundreds or thousands of licenses depending on the size of the business. "
Patched or not, the information presented here and in the pages linked therein make it clear that -- until all machines are patched -- there is a distinct possibility of an exploit getting through. To that end, I have no doubt some groups have been hot on the issue looking for the hole.
The same page ^^^ implies that symantec released IPS signatures for their products. With that said, do any signatures exist for other IPS/IDS solutions (snort, etc) ? If so, I would very much like to utilize them until any possibility of a threat has passed.
For the curious: The reason they point out that this is a stack based BoF is because stack addresses are easily predictible, while heap addresses are not. So stack based overflows are much easier to write exploits for.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
Folks, this is what you get for using anti-computer software.
Your one of two I've ever heard say that, as compared to over a hundred more people who've had to reinstall Windows because of Symantec's software
Three, now.
Four, here; as a possibly relevant note I am running Symantec's AntiVirus 9, not 10 on several corporate servers (also with hardware firewalling and other best practices layering) and their newest 2005/2006 etc on about a dozen workstations (with fairly clueful users).
Look more carefully. Symantec is the only one to get 100% for "On-demand detection of polymorphic viruses". For actual virus detection, it gets 97% & 98% depending on the situation.
I think F-Secure, G Data Security & Kaspersky Labs do the best as they get 99%+ in all situations.
Especially antivirus software that intercepts kernel hooks....
//Information does not want to be free; it wants to breed.
Their corporate client has a decent rep (until this).
Symantec usually takes no more than few days to release a patch for their corporate software when they are alerted of a security hole. Better than any/most other applications out there.
Their consumer clients are steaming bloated piles of crap.
If you're the kind of person who would notice that Norton Antivirus is "bloated", you shouldn't be using it.
Don't take life so seriously. No one makes it out alive.
I'm glad someone is posting it.
All antivirus software does is bog down your PC. I used it for 10 years before I realized how useless it was.
I run windows, but I don't get malware and viruses. Worst thing I ever get is an errant cookie. Why? Because I don't go to shady porn sites, I never download anything I don't know is safe, and I don't use IE.
Every few months now I take the time to install NAV long enough to scan my system and ensure that I'm not infected, and every time, clean as a whistle.
Computer security isn't hard for the home user. Have a good firewall, don't download crap, don't go to shady websites, use AdAware/Spybot every once in awhile, and be happy.
Pop-ups, spam, spyware, malware, viruses...it's all but eliminated by just being smart and using the bare minimum tools to protect yourself. It's people that just click on random shit and who fall for those "YOU WON AN XBOX 360!" and download shady software that get the issues.
I'm not saying it can never happen to me; that would be foolish. But the chances of it happening are greatly exaggerated, and if you keep decent backups it doesn't matter anyway most of the time if it does happen. It's just not worth paying the increasing prices of AV software, nor is it worth how much it slows up your PC.
AE
Why would the parent post be modded a 5(insightful)? There is no basis in truth for such a question, and it's just rhetoric and phoney conspirecy.
It is common knowlege that standard vulnerability reporting protocol in the security industry dictates that a vendor should be notified privately when a vulnerability is found in their product, and then given some reasonable amount of time (usually 30 days) to respond and in order to create a patch. Then at the end of the wait period the vulnerability is released to the public at the researchers discretion. So by default, of course the vendor would typically know before the public.
In this case however, because the reserach group was Eeye, there was no private notice. Eeye's Marc Maiffret (Chief Hacking Officer) does not follow the industry standard protocol, and he immediately notified the world of the vulnerabililty, as is his standard MO. Fortunately, he does not post details on the specifics of the vulnerability which slows the development of an exploit. So in this case the article was accurate.
Besides all that, I have first hand knowlege that Symantec as notified when the rest of the world was. And if anything, Eeye should retract a statement that Maiffret made stating that it would take Symanted about a month to patch this vulnerability, when it actually took a few long and hard days.
Couldn't login: Force10