Slashdot Mirror
Symantec Antivirus Products Vulnerable To Horrid Overflow Bug (zdnet.com)
An anonymous reader writes: Tavis Ormandy of Google's Project Zero team has discovered a vulnerability in Symantec Antivirus Engine. The said engine is vulnerable to a buffer overflow when parsing malformed portable-executable (PE) header files, reports ZDNet. "Such malformed PE files can be received through incoming email, downloading of a document or application, or by visiting a malicious web site," Symantec said. "No user interaction is required to trigger the parsing of the malformed file." For Linux, OS X, and other Unix-like systems, the exploit results in a remote heap overflow as root in the Symantec or Norton process, Ormandy said in the Project Zero issue tracker. "On Windows, this results in kernel memory corruption, as the scan engine is loaded into the kernel (wtf!!!), making this a remote ring0 memory corruption vulnerability -- this is about as bad as it can possibly get," he said.The vulnerability, if exploited, results in kernel memory corruption without user action and instant blue-screening on Windows.
This really isn't surprising and shows a fundamental weakness in not just the software, but this approach to "security" in general. You're trying to make up for holes in other programs by adding more code to the festering heap, now in the kernel, thereby pulling out all the stops and safeguards, yet you kept on using the same languages, techniques, "coders", approaches, patterns, and so on, that made the code you're trying to make up for so vulnerable. In short, you've putten your foot in trying to kid yourself. But hey, it's a living, right?
This is the "computer security" industry in a nutshell, this time without its trademark verbal abuse, just naked and getting laughed at.
Irony Overflow Exception.at lines one to infinity.
Requiem for the American Dream
Wait I am confused when you put neckbeards and symantec in the same sentence. That is like complete polar opposites.
Lots of organizations use Symantec. Some Slashdot readers actually have jobs at such organizations and would therefore find this information useful. You don't because you're in your mom's basement with your NetBSD computers.
We use Symantec Endpoint Protection. We tested over a dozen anti-virus systems, and it was the least worst. It's still pretty bad. I import and test .ova file (Open Virtualization Archive) imports several times a day. With Symantec enabled, it takes about four hours for a 2Gbyte compressed image. With it off, it usually takes less than ten minutes. Unfortunately my boss won't let me get rid of Windows since most of our customers use VirtualBox on Windows.
I think saying "app apps" should trigger the lameness filter. Let's make sexconker move on to more original material.
Tavis Ormandy is bad ass, and is really awesome at finding bugs. Whether it is Microsoft, Symantec, or anything else, he will find a bug if one is there.
This is a beautiful bug! Having the scan engine loaded into the kernel is sheer lunacy. Yet even more evidence on why AntiVirus is a useless and dangerous program to have running on your system.
Linux users would have been better off without Symantec antivirus or any av for that matter.
Symantec actively makes Linux and UNIX less secure? Because other than the insanity Lennart Poettering gave us, I fail to see what a proper UNIX system would need with a symantec scanner. It's been far too long now for the myth of UNIX being insecure in the same ways (note the wording...) to still persist.
Points to Symantec for eating their own dog food, I guess.
Log in or piss off.
>> Wait I am confused when you put neckbeards and symantec in the same sentence
This. No one buys Symantec unless their company culture consumes enterprise marketing pieces like "Gartner MQs" to figure what to buy.
He's writing angry letters to the president in emacs under a single light bulb hanging from its own power wire.
would try so hard for first post
This isn't "as bad as it gets" yet. However, "Kernel memory corruption leading to blue screens" is "random stuff got sprayed across the kernel memory". If you can do that, and if you can get a handle on what got sprayed where... then, you have a decent chance of being able to improve that to "Kernel memory corruption leading to remote code execution. In Ring 0."
And that's as bad as it gets.
Should be +5
CAPTCHA: inequity
very informative
Actually, sadly, yes, organizations use this shit. I've seen a few Bring Your Own Device networks (such as college campuses) that force you to install whatever "security" bullshit they shove down your throat in order to be allowed to access their network. One such thing I came across was indeed Norton's shitware.
People ticked off by McCrapfee
Table-ized A.I.
I would rather take a Babel Fish, please.
the only two that really deliver are F-Secure and Kaspersky. That's just how it is. The others either are either sup-bar, contain spyware, or even have security flaws. If you spend money on the bigger AV programs, and you are buying from any other vendor than F-Secure and Kaspersky, then you're just gambling.
what happens when the mac or Linux box try to get on?
SEP has RPM and DEB packages
Because McAfee is so bad, I wouldn't give it to my worst mortal enemy. Cough *US Government* Cough
SEP has RPM and DEB packages
If there wasn't a reason to run Solaris, there is NOW...
Comment removed based on user account deletion
Does anyone still use Symantec? Yeah, I didn't think so. This matters to all of three neckbeards. I'll get modded down to -1 for asking this because Slashdot users can't handle the truth. All three of the neckbeards still using Symantec probably have mod points.
This troll is getting old fast. I'll get modded up to 420x10^69 for saying this because Slashdot users are unicorns who poop pepper jack burgers.
I browse on +1 so AC's need not respond, I won't see it.
Comment removed based on user account deletion
Find a similar bug in a SMM (ring -1) handler in your UEFI BIOS... or perhaps in the various subsystems both intel and amd keep on strewing over their offerings that include complete RTOSes running in ring -2 or -3, or in the LOM, maybe on a processor embedded in the southbridge, which might run diddled Chinese firmware complete with diddle-hider, or.... And yes, that southbridge thing sits on a management NIC and gets its input from there before the rest of the system even sees it, so any exploit more or less has to be remote.
Nope, there's really no end to the depth of the rot. Please note that for most of these at least promising proof-of-concepts already exist, and where not publicly known often strong hints are available that someone must have developed such a thing anyway. And yes, there really are that many OSes running on various parts on a modern computer. Hey, who knows, maybe the microcode can somehow be triggered too.
Comment removed based on user account deletion
Yes, it is a waste of time, but McAfee and Symantec both have ICSA certified AV solutions which run on Linux, Solaris, HP-UX, and AIX. This is crucial in a lot of environments to make the legal eagles happy, and check that box off that "all computers run a certified AV solution", even if the machines are LPARs or LDOMs.
Sounds idiotic, but PCI-DSS and other specs can require this, even though the AV software, at best, will be deadweight.
Appcelerator
My God, your government is run by FBI-incompatible neckbeards!
All updates to the scan engine come via LiveUpdate, so run LiveUpdate (which probably is running daily or even multiple times a day and you are solved. There is no need to push out a new version of SEP to fix this. Symantec has addressed this already https://www-secure.symantec.co...
My company insists on using it. We're small, though, so maybe one day I'll convince them that having it and not having it is basically the same thing except with one you spend a lot of money for no reason.
does it push them at login? let you hit the repos to get the dependencies?
Only LUDDITES use LUDDITE host files! Modern app appers use APPS to app other apps!
Apps!
Unless you don't update AV definitions, this is a nonissue. The AV definition files dated 5/16/16 rev24 included an updated av engine component that fixes this vulnerability. By the time I heard of this issue, our SEPM server had already downloaded the defs with fixed engine and 3/4 of our enterprise was already up to date.
I have over 100 customers ranging from 15 to 250 workstations all running SEP.
A lot of my local competition also uses SEP.
This is a huge problem.
Luddites don't appreciate the appiness of posts like this. You have to app apps to be appy.
See subject & APK Hosts File Engine 9.0++ SR-4 32/64-bit http://www.bing.com/search?q=%...
Less power/cpu/ram + IO use vs. DNS/routers/addons/antivirus (slows you) + less security issues/complexity. Compliments firewalls (w/ layered drivers blocking less used IP addys vs. hosts blocking more used domains) & DNS (lightens dns load). Gets data via 10 security sites.
Ads rob bandwidth/speed paid for, security (adnetwork abuse), privacy in tracking + anonymity.
Hosts add speed (hardcodes/adblocks), security (bad sites/poisoned dns), reliability (dns down), & anonymity (dns requestlogtrackers) natively. Hosts != blockable by ClarityRay (vs. souled-out to admen inferior wasteful redundant slow usermode browser addons)
Works vs. caps & HTTP PUSH ads w/ firewalls.
Avg. webpage = big as Doom http://www.theregister.co.uk/2...
APK
P.S. - Safe https://www.virustotal.com/en/... (Verified by Malwarebytes' S. Burn "I've seen the code & yes it's safe" http://forum.hosts-file.net/vi... )
You know what, years back I worked at a place that used Symantec Endpoint Protection - and you're actually correct. Management absolutely loved Gartner. The CTO even had a Gartner Magic Quadrant of innovative companies on his wall. Every IT meeting (which was a monthly 2 hour snooze fest) started with an update from Gartner.
To be fair, Symantec and Norton are not at all the same thing.
"instant blue-screening"? How about kernel-mode code execution, hence why "this is about as bad as it can possibly get".
This is BETTER antivirus than antivirus
OK then, question for you. How does this protect my users against, say, the latest CryptoWall whose C&C server is an IP address in Balochistan that was set up an hour ago? Your software stops this somehow? If not, how is it "better antivirus than antivirus?"
You would think that of all things, scanning engines of AV products would have buffer-overflow protection in place. But apparently, these are the same bad 3rd-rated coders that are responsible for the problem in the first place. And doing this in kernel-space? How insane can you get?
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
It's meant to protect your computer(not really), not itself.
> Some Slashdot readers [...] would [...] find this information useful.
I do. Mainly for pouring mockery over my colleagues. Ahhh... schadenfreude. Endorphines and that.
Thank you for this one!
You eventually turned antivirus into virus.
Google cucks publishing irrelevant 0days while keeping even the good ones and selling them to NSA.
See subject: That hasn't propogated thru DNS even (takes up to 24 hours iirc) & my hosts data sources update in that time so you'd be protected (most likely).
* All the rest of what I wrote makes it better than antivirus (less moving parts for exploit or breakdown, less resource use, & more speed vs. LESS OF IT as Antivirus slows you down + is vulnerable as hell (not a 1st for Mr. Ormandy our subject & others finding exploitable buffer overflows & such in antivirus - FAR from it, especially lately...)
APK
P.S.=> Now I have to ask you - what have YOU yourself created that does the same or better? apk
FYI, this is a troll.
https://news.slashdot.org/comments.pl?sid=9120239&cid=52129387
SEP is a cheap, easy, and staggeringly useful way of safely protecting something from unwanted eyes. It can run almost indefinitely on a torch (flashlight)/9 volt battery, and is able to do so because it utilizes a person's natural tendency to ignore things they don't easily accept, like, for example, aliens at a cricket match. Any object around which an S.E.P. is applied will cease to be noticed, because any problems one may have understanding it (and therefore accepting its existence) become Somebody Else's. An object becomes not so much invisible as unnoticed.
A perfect example of this would be a ship covered in an SEP field at a cricket match. A starship taking the appearance of a large pink elephant is ideal, because you can see it, but because it is so inconceivable, your mind can't accept it. Therefore it can't exist, thus ignoring it comes naturally.
A S.E.P. can work in much the same way in dangerous or uninhabitable environments. Any problem which may present itself to a person inside an S.E.P. (such as not being able to breathe, due to a lack of atmosphere) will become Somebody Else's.
An S.E.P. can be seen if caught by surprise, or out of the corner of one's eye.
Just like font rendering and other cool things such as scroll bars https://news.ycombinator.com/item?id=9031419
0.0.0.0 host.vivialvarez.com.ar
0.0.0.0 kw.projetoraizes.com.br
0.0.0.0 net.jacquieleebrasil.com.br
0.0.0.0 bintiye.helpthevets.org
0.0.0.0 mcimaildmz.dinnerplate.co.uk
0.0.0.0 candidulumbestuurlijk.newlandsierrarealestate.com
0.0.0.0 frageboegen-plletyksin.breastcanceroutreach.com
0.0.0.0 reikleivn-azarashi.orlandohomesbydevito.com
0.0.0.0 litigators.esteroscreen.com
0.0.0.0 vivialvarez.com.ar
0.0.0.0 projetoraizes.com.br
0.0.0.0 jacquieleebrasil.com.br
0.0.0.0 helpthevets.org
0.0.0.0 dinnerplate.co.uk
0.0.0.0 newlandsierrarealestate.com
0.0.0.0 breastcanceroutreach.com
0.0.0.0 orlandohomesbydevito.com
0.0.0.0 esteroscreen.com
0.0.0.0 qrwzoxcjatynejejsz.com
0.0.0.0 yfczmludodohkdqnij.com
0.0.0.0 ranetardinghap.com
0.0.0.0 cetinhechinhis.com
0.0.0.0 tedgeroatref.com
0.0.0.0 rerobloketbo.com
0.0.0.0 tonthishessici.com
0.0.0.0 allofuslikesforums.com
0.0.0.0 oqpwldjc.mjobrkn3.eu
0.0.0.0 mjobrkn3.eu
0.0.0.0 maisto.com
0.0.0.0 rp4roxeuhcf2vgft.onion.to
0.0.0.0 rp4roxeuhcf2vgft.onion.cab
0.0.0.0 rp4roxeuhcf2vgft.onion.city
0.0.0.0 onion.to
0.0.0.0 onion.cab
0.0.0.0 onion.city
* Putting those in your custom hosts file stops this thing cold... & I never said "hosts cure all" (but they do a LOT MORE for a LOT less...)
APK
P.S.=> Courtesy/Credits to http://researchcenter.paloalto... AND https://www.proofpoint.com/us/... ... apk
...and what would their response be if you showed them something like this on your Linux box?
salfter@files ~ $ sudo apt-get install symantec-shitware
-bash: apt-get: command not found
Do they tell you you're SOL?
20 January 2017: the End of an Error.
Zedo specifically & malvertising stopping's a HUGE PART of what my program prevents infection from - C&C list to stop it versions 1.x-4.x:
1.x (source https://barracudalabs.com/2014... )
hindustantimes.com, bollywoodhungama.com, one.co.il, codingforums.com, mawdoo3.com, zedo.com, c1.zedo.com, c2.zedo.com, c3.zedo.com, c4.zedo.com, c5.zedo.com, ss1.zedo.com, static.rcs7.org, xenon.asapparts.com, rcs7.org, asapparts.com
2.x-3.x (source http://blogs.cisco.com/securit...):
paytordmbdekmizq.tor4pay.com, tor4pay.com, paytordmbdekmizq.pay2tor.com, pay2tor.com, paytordmbdekmizq.tor2pay.com, tor2pay.com, paytordmbdekmizq.pay4tor.com, pay4tor.com,
eportfolio.ccpullman.ca, ccpullman.ca, www.mg-unterburg.ch, mg-unterburg.ch, www.sportantiques.co.uk,
sportantiques.co.uk, www.drk-wettringen.de, drk-wettringen.de, www.rock-times.com, rock-times.com, www.footstepphotography.co.uk, footstepphotography.co.uk, www.choosingcruising.co.uk, , choosingcruising.co.uk, www.felixwoman.com, felixwoman.com, www.projetorideal.com, projetorideal.com,
www.jimcole.be, jimcole.be, www.jes.or.at, jes.or.at, or.at,
artpartner.cz, www.meihuainfo.com, meihuainfo.com, www.grekiskaforeningen.com, grekiskaforeningen.com, www.cup-neumann.de, cup-neumann.de, ww.areaverda.com, areaverda.com, , www.yemekyapmak.com, yemekyapmak.com
4.x (source http://www.tripwire.com/state-... ):
abelinda.com, purposenowacademy.com, mycampusjuice.com, thegingod.com, yahoosupportaustralia.com, successafter60.com, alltimefacts.com, csscott.com, smfinternational.com,
lexscheep.com, posrednik-china.com, ks0407.com, stwholesaleinc.com, ainahanaudoula.com, httthanglong.com, myshop.lk, parsimaj.com, kingalter.com, shrisaisales.com, cjforudesigns.com, mabawamathare.org, manisidhu.in, adcconsulting.net, frc-pr.com, , localburialinsuranceinfo.com, smfinternational.com, 3wzn5p1ylumh7ak.j.paypartnerstodo.com, j.paypartnerstodo.com, paypartnerstodo.com, 3wzn5p1ylumh7ak.j.allepohelpto.com, j.allepohelpto.com,
allepohelpto.com, 3wzn5p1ylumh7ak.j.barklpaypartners.com, j.barklpaypartners.com, barklpaypartners.com, 3wzn5p1ylumh7ak.j.maverickpaypartners.com, j.maverickpaypartners.com, maverickpaypartners.com,
* What's that you said that my program doesn't stop "Common Ransonware Threats"?
APK
P.S.=> My last post also puts down another 'variant' of it in CryptXXX / Locky... want JAKU too? apk
See subject: These 2 posts PUT YOU AWAY easily https://it.slashdot.org/commen... + https://it.slashdot.org/commen...
* YOU are in MASSIVE ERROR = why (see you quoted below)!
* :)
(You unidentifiable trolls - you're ALL THE SAME, & stupid... shouldn't open your mouths when I can SLAM THEM SHUT so easily...)
APK
P.S.=>
"I'm trying to figure out how your creation is supposedly better than antivirus. As far as I can tell, it does absolutely nothing to protect against common ransomware threats" - by Anonymous Coward on Wednesday May 18, 2016 @02:18PM (#52136785)
See the above links & "tell us another one" since CryptXXX & Cryptowall use host-domain names which I have blocked in hosts (& as far as javascript usage? Use a GOOD browser that allows you to use it ONLY where you absolutely need it, otherwise, you're stupid (like you))... apk
My guess is they'd actually transfer the .deb or .rpm and use dpkg or rpm to install, not apt or yum. If you use gentoo, they'd emerge apt or rpm, or perhaps in the end tell you you're SOL.