Symantec Posts Fix To Vulnerability

An anonymous reader writes "Just a few days after it was discovered, Symantec has posted a fix to a critical flaw with its Antivirus software." From the article: "The eEye digital security firm reported the problem initially, and discovered it was present in the newest versions of the affected Symantec products. Further research noted by Symantec described the problem as a flaw that made the products vulnerable to a stack overflow. Once exploited, that overflow could have permitted an attacker to execute code on the machine, with System level rights. The issue was made worse by being one that impacted enterprise-level customers, big spenders that purchase hundreds or thousands of licenses depending on the size of the business. "

Patched or not, IPS Signatures?

[lightyear4]

Patched or not, the information presented here and in the pages linked therein make it clear that -- until all machines are patched -- there is a distinct possibility of an exploit getting through. To that end, I have no doubt some groups have been hot on the issue looking for the hole.

The same page ^^^ implies that symantec released IPS signatures for their products. With that said, do any signatures exist for other IPS/IDS solutions (snort, etc) ? If so, I would very much like to utilize them until any possibility of a threat has passed.

stack vs heap

[Lord+Ender]

For the curious: The reason they point out that this is a stack based BoF is because stack addresses are easily predictible, while heap addresses are not. So stack based overflows are much easier to write exploits for.

Re:As long as we use langs without memory safetey.

[abb3w]

Yes. Memory-safe languages running inside a VM is exactly the kind of languages that I'd choose to write antivirus software.

Especially antivirus software that intercepts kernel hooks....