Forgot your password?
typodupeerror

Symantec AntiVirus Hole Found 241

Posted by CowboyNeal
from the safer-than-sorry dept.
Hotwater Mountain writes "eWeek has a story about a gaping security flaw in the latest versions of Symantec's anti-virus software suite that could put millions of users at risk of a debilitating worm attack. According to eEye Digital Security, the company that discovered the flaw, the vulnerability could be exploited by remote hackers to take complete control of the target machine 'without any user action.'"
This discussion has been archived. No new comments can be posted.

Symantec AntiVirus Hole Found

Comments Filter:
  • Re:Older Versions? (Score:3, Interesting)

    by Amouth (879122) on Friday May 26, 2006 @02:31AM (#15407906)
    i bet June 7th 2006

    jsut because they release updates on wensdays and i don't thing they will have a cert'ed patch ready by wensday as this is a holiday weekend and their customers don't matter to them (at least the ones that could be infected)
  • by Anonymous Coward on Friday May 26, 2006 @02:43AM (#15407938)
    I got the 'Stoned Virus' in 1989. Had another one that I can't remember about 4-5 years ago. Those are the only two virii I have ever gotten.

    I had a bit of a problem a few years ago with SpyWare, first I Installed a IE plugin and then moved to FireFox.

    These 'Security' behemoths are insane. They hog 20%+ of computer resources with their 'real time scanning'. The only time anything needs to be scanned is when it's first comming to your computer. Downloads need to be scanned, that's it! If I download something questionable, I'll run it through Trend Micro online scan before running.

    Daily backups are the key. And not Whole Fucking Hard Drive Backups like most insane backup programs want to do. Backup your damn documents and data.

    Firefox and a little common sense and this whole virus/spyware thing is just not an issue for me. I haven't run SpyBot/AdAware since last year. I occasionally scan my download folder with TM Online.

  • tit for tat? (Score:3, Interesting)

    by mysticgoat (582871) * on Friday May 26, 2006 @02:45AM (#15407943) Homepage Journal

    Recent history:

    1. Symantic files suit against Microsoft with some kind of anticompetitive or abuse of license beef involving Vista.
    2. A day or so later, Symantic announces a zero-day exploit of Word. The malware in the Word document drops the ginwui worm that opens a backdoor and uses rootkit technology to hide itself and its activities. Symantic says that some companies have been victimized by this perhaps for months.
    3. And now a day or so later, a company with close ties to Microsoft announces that a major Symantic product contains a massive security flaw.

    Does anyone else feel that this time line suggests that the last item or two might be part of a hidden agenda? Are we witnessing the start of a FUD throwing contest between two of the industry's major players?

    I am so confused. What web news publishers should I now put my faith in?

  • by Anonymous Coward on Friday May 26, 2006 @02:52AM (#15407960)
    My company has invested in Symantec Antivirus Corporate Edition, and while I do like the centralized management features and the Symantec Antivirus Client's unobtrusive nature, these exploits (and there have been several for version 10 alone) are getting ridiculous. With antivirus on the gateway catching 99.9% of the incoming viruses, and account restrictions for users preventing them from doing any real damage if they do get infected, it seems like Symantec Antivirus serves more as a vector of virus and worm attacks than a layer of protection against them. The fact that we pay thousands of dollars a year for the privilege makes it that much worse.

    Has anyone deployed something other than Symantec Antivirus in a 250 PC company? If so, I'd like to hear your experiences.
  • Re:It depends (Score:5, Interesting)

    by MillionthMonkey (240664) on Friday May 26, 2006 @03:02AM (#15407977)
    I work at a big stupid company that has a site license for Rational Clearcase, a totally retarded product we are forced to use by upper management. Fortunately, SAV 10 is incompatible with the Clearcase Windows client- it diagnoses it as malware and attempts to remove the "infection". So we cannot upgrade from SAV 9. When they were doing the automated rollouts a few days ago, we had to send our machine names to the CC administrator to prevent the upgrade process from installing SAV 10 on our machines.

    So now we don't have to worry about this security hole, which means we can finally say that something good came out of using Rational Clearcase.
  • by Anonymous Coward on Friday May 26, 2006 @03:09AM (#15408000)
    I'm getting tired, keep up with all these holes that need to get fixed to save my employment of a basic pay cheque.

    We need to fix root cause of the problem. Not restore service, but fix it.

    It's time to tackle this problem at the compiler level. Get rid of the various IDE wizards, where the latest summer student can spend 5 minutes building a so called enterprise class application.

    Instead of the next dual core processor, maybe the industry could spend some time on software and get it right.

  • by smash (1351) on Friday May 26, 2006 @03:31AM (#15408042) Homepage Journal
    We run trend officescan in a ~1000 PC corporate network and have only ever had one problem, with a bung pattern file that chewed up 100% cpu - which was fixed within a day or so (affected people world-wide).

    Fairly happy with it.

    smash.

  • oh piffle (Score:2, Interesting)

    by OctaviusIII (969957) on Friday May 26, 2006 @03:36AM (#15408056) Homepage
    My NAV is using a total of 9Mb RAM on my system as I type. It's always been more reliable in catching viruses than AVG, too.
  • by myxiplx (906307) on Friday May 26, 2006 @03:51AM (#15408092)
    Been running Sophos Anti-Virus in the last two companies I worked for. It's always been far faster and more stable than either McAffee or Symantec's offerings. It's more CPU and memory intensive these days, but that's an unavoidable side-effect of signature scanners and 35MB of RAM isn't excessive on a modern machine.

    The downside is that it's not as user friendly as the others. Sophos only sell to business customers and hence expect it to be installed by a competant sysadmin. Once you've learnt how to manage it though it's beautiful. One of the products I can install on a network and then ignore for the next 18 months with 100% confidence that it'll sit there and do its job, and will warn me if it can't.

    In 4 years I can remember only one bad update, they had a workaround within hours and a fix within a day or two.

    Sophos technical support is another good reason for dealing with them. You get straight through to a native english speaking team and even their first line staff have a depth of experience with the product that makes a welcome change from the usual idiots.
  • by LordFolken (731855) on Friday May 26, 2006 @04:00AM (#15408115)
    The advisory is rather bleak at the moment, so following is pure speculation:

    Past exploits in software firewalls where issues in the packet inspection engine. The engine packs itself infront of the tcpip stack of windows and inspects _every_ packet that goes in or out, regardless of wheter it connects to some port or not. This is done in order to log the packet and to reassure the user with annoying popups that his investment was worth his money.

    Back to antivirus: This thing also scans email. It does this by scanning the traffic on pop3 and imap ports. My suspicion is that it does this regardless of the connection state. E.g. if you send packets from port 110 to the target machine it probably inspects them, even if the target machine isn't currently downloading any email. Again: this is speculation on my part.

    To answer the parent's questions:

    If the above is the case:

    - Do I have to browse to a malicious website?
    Probably not.

    - Do I have to download an infected file for it to scan?
    It's possible that the worm also works when an email is scanned. So if you recieve an email that has such a virus attached your machine would be also infected even if you'd use a hardware firewall.

    - Does it somehow come in on Live Update?
    Unlikley. You'd have to do a man in the middle attack for that. E.g. capture the users dns traffic or route his traffic through the mitm. Both rather unlikley in an Internet scenario unless you have a _really_ lousy provider.

    - What if I have a firewall?
    In a connection-state tracking software firewall it would matter in what comes first: the antivirus or the firewall. A hardware firewall would protect you better as it comes first in any case, but it wouldn't protect you from an exploit that travels from your e-mail account to your machine.

    IMO symantec products all suffer from bloat:
      - Way too many features, no average user can comprehend. (and i have a suspicion that the devlopers don't either.)
      - The install base from the complete package is probably above 100MB. I think a firewall and
    antivirus should be doable in a fraction of that. (excluding signature files)
      - They slow the systems they are installed to to a crawl.
      - I get 5+ support calls a day that deal with broken symantec products. (e-mail and internet related.)

    Please use FreeAVG, AntiVir or learn how to use ClamAV!

    Better yet: install FOSS software like i have done years ago, and get rid of _all_ these problems in an instant.

  • by mlow82 (889294) on Friday May 26, 2006 @04:51AM (#15408218)
    Avast! [wikipedia.org]
    AVG Anti-Virus [wikipedia.org]
  • Re:Details? (Score:3, Interesting)

    by sumdumass (711423) on Friday May 26, 2006 @04:55AM (#15408225) Journal
    Firewall?

    Just wait until some PHB or road warior brings thier laptop in and it is infected. Or my favorite, Someone (law clerk) was bringing in Files that her computer at home wouldn't open corectly to see if the work computers could open them because they seem to do more. I guess the idea was to make sure they weren't needed before they got deleted.

    And what of the firewall is a nortan product? or spread VIA email too. Ohh well
  • by allroy63 (571629) on Friday May 26, 2006 @05:13AM (#15408269)
    How the exploit functions (a loose theory) 1. It is widely accepted that the Corporate versions of the software are those that are affected. The major difference between the Symantec corporate and home use anti-virus clients is their ability to be managed by a centralized server. From the server environment one can initiate any number of tasks - including a remote installation of the client, remote scans, etc. IIRC this functionality is accomplished through connection to a listening port on the client machine. This would fit the theory of what it is that is so different and that a user needs to do absolutely nothing but have the machine on a network with the Symantec service running. 2. The current CNN coverage located here (http://www.cnn.com/2006/TECH/internet/05/25/antiv irus.flaw.ap/index.html) indicates that home use editions of the software are not affected, "though consumers who are provided Symantec's corporate edition antivirus software by their employers for use at home may be affected." [cnn.com] Many of these same users are also granted secure access to remote servers behind their companies' firewalls... 3. This is a major concern because it means that we're not looking at a situation of massive numbers of zombie bots that are all deployed to do some low level inane task like e-mailing tons of spam to people. It means that the firewalls of the various institutions of power, privilege and profit around the globe who have purchased Symantec's products become functionally useless as employees head home to plug into their non-firewalled-my-cousin-set-it-up-for-me cable or DSL connection at home. It also means that any confidential data stored on those remote machines is more likely to theft. Consider the recent stories in the U.S. media of the theft of a laptop containing thousands of citizens social security numbers. Now magnify that situation by imagining that everyone with access to confidential data on a laptop running Symantec place the laptop on the front porch of their home each night. It will be interesting to see how Symantec handles this. I am hopeful that a LiveUpdate can correct the situation and will be looking into turning off the remote management features on the client machines I manage as a precaution. I don't know that there's a link, but it seems like a fairly plausible source of exploit that is clearly delineated from the home version... 2.
  • by Anonymous Coward on Friday May 26, 2006 @05:33AM (#15408313)
    If you're a Symantec employee (and you agree) post anonymously under this thread. Just so you know I really am a Symantec employee, let me ask you this: how many "strongly disgrees" did YOU put on the SymPulse survey? Wouldn't it be great if our company actually payed any attention at all to that survey and decided to put the technology first? Guess we'd have to change our name to Sun then.
  • Symantec has putting out terrible products for years now. In addition to totally devastating the products it buys, it also makes them nearly impossible to remove. I have had to forcefully remove Norton products from many of my clients' systems by using the "forced removal" tools that Symantec provides. Now, I don't know if it's just me, but isn't that a bad sign when a company provides tools (even though the tools are buried in their corporate site) to remove their own products because the product's own uninstall routines fail miserably so often?

    I normally recommend something along the lines of AVG or Avast! to customers after that little experience. People normally learn after their wallet gets hit a few good times for computer repair.
  • Re:Details? (Score:2, Interesting)

    by iminplaya (723125) <iminplaya.gmail@com> on Friday May 26, 2006 @12:16PM (#15410334) Journal
    They should call it "Norton Network Security", since it seems to block most local traffic also. My big question is whether I should wait until the subscription expires before unistalling it, or rip it out now to save on future headaches.

Profanity is the one language all programmers know best.

Working...