Slashdot Mirror
Symantec Posts Fix To Vulnerability
An anonymous reader writes "Just a few days after it was discovered, Symantec has posted a fix to a critical flaw with its Antivirus software." From the article: "The eEye digital security firm reported the problem initially, and discovered it was present in the newest versions of the affected Symantec products. Further research noted by Symantec described the problem as a flaw that made the products vulnerable to a stack overflow. Once exploited, that overflow could have permitted an attacker to execute code on the machine, with System level rights. The issue was made worse by being one that impacted enterprise-level customers, big spenders that purchase hundreds or thousands of licenses depending on the size of the business. "
Just a few days after it was discovered, Symantec has posted a fix to a critical flaw [CC] with its Antivirus software.
So how long after they confidentially reported the problem to Symantec (as I'm sure they did) did it take them to fix it?
Patched or not, the information presented here and in the pages linked therein make it clear that -- until all machines are patched -- there is a distinct possibility of an exploit getting through. To that end, I have no doubt some groups have been hot on the issue looking for the hole.
The same page ^^^ implies that symantec released IPS signatures for their products. With that said, do any signatures exist for other IPS/IDS solutions (snort, etc) ? If so, I would very much like to utilize them until any possibility of a threat has passed.
Yes, of course even in memory safe languages (Java, Python, etc) something somewhere needs to have memory access. That thing is the VM/interpreter. Fortunately there are very few areas of code in the VM that need to have memory access, so if you make those correct, then you can write a million lines of application code and know that there aren't any overflows in it.
-------------
Carry a concealed weapon in California
Their reputation as an anti-virus provider used to be second to none, now after bloated software and software bugs a lot of people are having second thoughts.
I think they need to go back to square one and develop a product that is not going to give them a bad reputation if they want to stay competitive.
After working with a lot of other anti-virus packages and seeing how un-invasive a good anti-virus package can be I refuse to use Symantec products anymore and to my clients I strongly recommend them change products when their license is up for renewal.
If it wasn't for Symantec bundelling their software with OEM's I wonder how much of an impact they would have? Most uneducated people I do work for think of all anti-virus as "Nortons" and are amazed at how much their system performance improves when I replace it with something else.
They used to have some good products 10 years ago, but I haven't seen a decent anti-virus release from them for a long time now.
For the curious: The reason they point out that this is a stack based BoF is because stack addresses are easily predictible, while heap addresses are not. So stack based overflows are much easier to write exploits for.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
Folks, this is what you get for using anti-computer software.
These simple steps will save you time and money, speed your computing experience, and, above all, avoid the vulnerability.
Thank you
I have nothing to say.
Yes. Memory-safe languages running inside a VM is exactly the kind of languages that I'd choose to write antivirus software.
After all, antivirus are not the kind apps that make your computer to underperform by a great margin, and they don't eat too many resources. Absolutely everything in software is about the algorithms, isn't it?
Seriously, Nod32 owns... owns, owns, owns.
w ww.av-comparatives.org/seiten/comparatives.html
Kaspersky is pretty good too.
But who in their right mind, that knows *anything* about security, uses Symantec or McAfee anti-virus products?
Check out these: http://www.av-comparatives.org/index.html?http://
And if you have a VirusBtn login, the 100% awards are alright indicators of virus scanner quality, but nowhere near as good as av-comparatives IMO.
http://www.angryburrito.com/ The best, completely unfinished software review site ever.
Was a time where we used the term "virus" to refer to a self replicating piece of code that didn't rely on exploits to move around. We used the term "worm" to refer to code that did rely on exploits. So even in the most secure operating environment you could still have a virus, but you couldn't have a worm. Of course, now-a-days everyone refers to viruses as worms and worms as viruses. As long as the operating system is performing actions on behalf of the user you will have software that does what the author wants but not what the user wants. The only real way to stop that is to make the user do everything themselves.. that is, it's completely impractical to stop. Stop-gap measures like virus/worm/spyware/malware detection, quarantine and elimination will always be necessary to mitigate the damage these nasties can do.
How we know is more important than what we know.
1."everyone's servers" - Does US count as everyone?'
2.Ever heard of a remote desktop?
3.Arent't all IT people paranoid, even while "long-weekending" in US?
Give them a credit - it's been very quick.
Vulnerabilities in security software make me think of those dialogs between the Tortoise and Achilles -- particularly the one where the Tortoise and the Crab are developing ever more fancy record players. The Crab keeps getting nicer record players and the Tortoise keeps giving him records that induce fatal resonance in some mechanism of the record player...
in GEB it was a parable about the Godel incompleteness theorem -- and, of course, designers of security software would do well to think carefully about it...
From the eWeek article:
"Security researchers at eEye Digital Security have discovered a serious flaw in Symantec's enterprise antivirus software that could be used by hackers to create a self-replicating "worm" attack against Symantec users. Because Symantec has not yet confirmed the existence of the problem, much less patched it, eEye is offering few details on the vulnerability, which was first disclosed late Wednesday."
Either Symantec is lying, or someone is guily of some very excessive and reckless self-promotion. It smells like excessive self-promotion to me, but I'm not privy to the details so who knows.
Thank you, Mr. Gates. May I have another?
Silent mantra to the many people I have to spend hours cleaning spyware and maleware off of their system and feel guilty charging them because they are friends. Mostly they buy me gifts because I refuse to charge them. I have them bring the sick virus infested computer in on company time and test the company firewall.
I really do!
Matrix
Who in their right mind still uses Windoze?
Friends don't help friends install M$ junk.
That same time, we called those who penetrated systems as Crackers, and those who wrote amazing code Hackers. Steven Levy wrote about them.
It was a nice time.
ttyl
Farrell
CAN-CON 2019 - Ottawa's only book oriented Science Fiction Convention! October 18-20, Sheraton Hotel, Ottawa, Canada h
As much as I would love to start moving some of my clients away from a particular bloated & unsafe OS(which I have reccomended), a lot of people are lazy or just not interested in another OS, although they have problems with windows they at least understand it a little to get by.
,when people are busy with normal everyday life can be a chore for most, especially when you are intimidated by the machine your trying to learn.
Some of my clients have moved to Mac and haven't been happier, others find the same problems with Mac as they have with Windows, not bugs or faults, just general usability they have the same frustrations with how to use programs because they just don't have enough knowledge behind the application.
Moving an OS is a good idea in theory but having to re-learn different ways of doing things
Manual virus removal instructions:
Comment removed based on user account deletion
Especially antivirus software that intercepts kernel hooks....
//Information does not want to be free; it wants to breed.
"The reason there are so many viruses and exploits for Windows is due to its popularity;"
That argument doesn't work, because if it did, we'd see at least a few worms and viruses for Linux and OS/X. At least 1 or two persistent ones in the wild. But there aren't any, are there? If there was, it would be BIG NEWS if someone made a widely propagated virus for *nix and that person would have made a name for himself in certain circles.
But the fact is, virus propagation in *nix sucks, and it's not because of popularity and it's not for lack of trying from the people who write such things.
The only bullshit here is yours, Mr. Anonymous.
--
BMO
Symantec, in most cases, releases an antivirus definition to detect any threat that may attempt to exploit a hole in the product, so even if you are unpatched, so long as your defs are updated, you are protected.
Patching ASAP is still a priority though.
Don't take life so seriously. No one makes it out alive.
Maybe the GUI to an AV package, or maybe the bulk logic. Just isolate all the risky stuff in a few thousand lines and make sure they're safe. Then you can write the other 100,000 lines in VM-based language. I mean, the file-scanning part shouldn't intercept kernel hooks or anything like that.
#define DRM chmod 000
No, it's more like saying, "If we made sure the gun was unloaded before attempting to clean it, we'd never have to worry about shooting ourselves in the head by accident."
Which is quite true. The biggest newbie bitch I see on Slashdot is about C. Guess what?
C has functions designed to prevent buffer overflows/etc. - and no, there is NO excuse for not using them.
Comment removed based on user account deletion
Scanning files efficiently is actually quite hard. You can write a naive scanner in a few thousand lines, but to make it competitively efficient you're going to need to do a lot more work (scheduling, sequencing, caching results, skipping safe data, etc).
I know plenty of people will say, "program carefully", but that's like saying, "seatbelts are stupid. If we all just drove safely we wouldn't need seatbelts or airbags or bumpers."
No, it's like saying "making cars travel at no more than 5mph and have a man with a red flag walk in front is stupid, it significantly reduces the value of travelling by car". 'Safe' languages come at a large cost to efficiency, because they involve extra checking at runtime. Safer is not always better: you reach a point where the cost of the added safety (because you have to buy more powerful hardware) outweighs the cost of the system being less safe (because you have to occasionally clean up a virus infestation). You can slap a monetary figure on both those things and compare them. If the program was already pretty safe (one break in N years), and the cost of cleanup is low (restore infected hosts from disk image), then adding more 'safety' may be a bad thing. Especially in a corporate environment where the bottom line rules.
I do, primarly because I am a gamer. When I can play Oblivion, Half-life 2, Call of Duty 2 and all my games under Linux, I will switch to linux fulltime. Until then, I will continue to use Windows XP Pro. There are some real world uses for Windows that Linux still cannot provide. Gaming is one of them. Even Mac has some of the major game titles, but not even close to 50% of the games that are available to Windows users. There is no ultimate OS, each has it's own benefits and drawbacks. If you're a gamer, you're stuck with Windows, if you run a server, you probably use linux. It's about using the right tool for the right job. I first tried slackware back in `95 and I loved it, I would love to be able to use linux for gaming, but that won't be happening anytime soon (if ever). Mainly because the majority of people own Windows computers, so the majority of game developers will make their product for that platform, as it has the biggest user base.
I don't even have a virus scanner installed on this computer, this is my gaming pc and I keep it clean of any and all software not including games. As long as you aren't downloading some unknown crap off the internet you shouldn't need antivirus software. I haven't gotten a virus in more then 7 years and I have used antivirus software in the past, mainly Mcafee and Norton. Once in a while I will use Mcafee's Avert Stinger to do a quick scan for the latest virus/worms. It's free and you don't have to install it or any bloated software, just download and run it from the download directory. I believe Symantec and a few other companies also provide some useful free virus removal tools that don't need to be installed to run.
Lions, tigers and bears do not go after the most abuntant, but the easiest prey.
A language in a sandbox? why stop there if you can create an entire virutal machine in a sandbox.
After all security is very important and there is no reason to not spend some cheap extra cpu cycles on it.
Very good guy, too bad this topic was SYMANTEC ANTIVIRUS CORPORATE EDITION, not the norton line of products. RTFA next time ;-)
Engineers do it with less resistance
you forgot to mention the indiscutable performance... norton anti virus and internet security make your machine so slow - it would be faster if you had no AV program and several worms instead...
I just reinstalled the system on the PC of my girlfriends father who had NAV and NIS... his Athlon 1.8GHz performed like an 80486 and he couldn't beleive how fast his PC became after I didn't reinstall those programs, but installed AVG and zonealarm instead...
The MAFIAA is a bunch of mindless jerks who will be the first up against the wall when the revolution comes
Comment removed based on user account deletion
Having been too lazy these past few months to uninstall their 'Security Suite' this flaw was the motivation to dump the suckers and stick Free AVG on my system. I always knew the Symantec solution was a resource hog, but didn't realize quite how much until I replaced it.
No, we didn't you hanger-on. The only person, ever, who has originally refered to people who break into computer systems as "crackers" is Eric S. Raymond. Everyone else who used the term "crackers" to refer to people who break into computer systems was just a sheep who read the jargon file, the entry of which was written by Eric S. Raymond. The fact that the media had (and continue to have) no interest in your prefered definition of the word and, as such, the mainstream public still consider your meaning of the word for be incorrect, does not give you warrant to rewrite history. If you wanna continue the propoganda compaign to make everything think of "hacker" as meaning a shiny happy tree friend who writes code for the good of humanity, don't do it in response to my Slashdot posts. And in case anyone is struggling to remember what "cracking" was all about, go have a look at how copy protection on software was broken back before every idiot figured out they could charge customers for a serial number. Those guys who did the cracking, we called them crackers. Eric S. Raymond probably wasn't concerned with them because he was already living a super-nerd-it-up life style over on VAX mainframes and minicomputers when the rest of us were discovering the personal computer revolution.
How we know is more important than what we know.