Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Symantec AntiVirus Hole Found 241

Hotwater Mountain writes "eWeek has a story about a gaping security flaw in the latest versions of Symantec's anti-virus software suite that could put millions of users at risk of a debilitating worm attack. According to eEye Digital Security, the company that discovered the flaw, the vulnerability could be exploited by remote hackers to take complete control of the target machine 'without any user action.'"
This discussion has been archived. No new comments can be posted.

Symantec AntiVirus Hole Found

Comments Filter:
  • by bunbuntheminilop ( 935594 ) on Friday May 26, 2006 @01:57AM (#15407792)
    Symantic will only have to make viruses for its own programs!

    (ouch, that was a little harsh)

    • All they have to do is rebrand their anti-virus product "PC Anywhere SE".
  • Details? (Score:5, Insightful)

    by SomeGuyFromCA ( 197979 ) on Friday May 26, 2006 @01:59AM (#15407800) Journal
    Is it server-side or client-side? Is it push or pull?

    If it affects the install on the clients, but needs to get access to them, I wave my paw and say "bah."

    If, on the other hand, it can attack the server...

    Well, then again, everything should be behind a firewall anyway, with only needed ports forwarded.

    I mean that's just common sense...
    • Re:Details? (Score:5, Informative)

      by neil.orourke ( 703459 ) on Friday May 26, 2006 @02:04AM (#15407818)
      http://www.smh.com.au/ [smh.com.au] had a writeup about this which said that Norton Internet Security guarded against this flaw in Norton AntiVirus. Go figure on the implications of that.
      • Re:Details? (Score:5, Funny)

        by cp.tar ( 871488 ) <cp.tar.bz2@gmail.com> on Friday May 26, 2006 @04:11AM (#15408137) Journal

        OK, let me try:

        • First they sell you an antivirus to protect you against viruses and other malicious code.
        • Then they sell you a security package which will protect you against malicious code which the antivirus cannot detect. Or which attacks the antivirus itself.
        • Soon they'll sell you an additional package which will make sure nothing gets past the security package.
        • And another one to keep all those in check.
        • Therefore, soon enough no code will be able to execute because all the CPU cycles will be reserved for Symantec security.

        Perfect security - and the Quis custodet ipsos custodes? problem solved. Rather neat...

        • Re:Details? (Score:5, Funny)

          by Jesus_666 ( 702802 ) on Friday May 26, 2006 @04:45AM (#15408209)
          Norton Antivirus offers perfect security. Just leave it installed on a home user PC for long enough. Sooner or later the system will shut down in an unclean fashion, which NAV will take as a reason to hang at startup, taking the NIC with it.

          Bang - no NIC, no malicious traffic from the internet.
        • Re:Details? (Score:5, Funny)

          by Fred_A ( 10934 ) <fred@fredsh o m e.org> on Friday May 26, 2006 @06:11AM (#15408379) Homepage
          Therefore, soon enough no code will be able to execute because all the CPU cycles will be reserved for Symantec security.

          I thought everybody agreed that this was the purpose of dual core CPUs for Windows machines. One to run the bundled Norton crud, one to run the apps.

          Of course some people follow the advice of their more enlightened friends/neighbours/family and switch to other products or other systems.

          (note: this does not apply to corporate networks unless they are handled by idiots. Um. Doesn't apply to *all* corporate networks.)
          • Re:Details? (Score:3, Informative)

            by BiggyP ( 466507 )

            "I thought everybody agreed that this was the purpose of dual core CPUs for Windows machines. One to run the bundled Norton crud, one to run the apps."

            That hadn't occured to me, it could certainly make a big difference cutting down the effect of the overhead from norton antivirus and firewall software, not to mention the worms it feels like letting in to join the party.

            "Of course some people follow the advice of their more enlightened friends/neighbours/family and switch to other products or other system

        • But with dual-core CPUs becoming more popular, it'll only take up 100% of one CPU, leaving you a whole other CPU for running XP and your apps! Win-win!
      • Now I have to convince my laptop that not to be able to use half of the apps without annoying IS popups is better that having the security hole... Luckily, all it can say is multiple choice question: "How long do you wish to have Norton Internet Security turned off?" And the answer always is: "Until system restarts, honey".
    • Re:Details? (Score:3, Interesting)

      by sumdumass ( 711423 )

      Just wait until some PHB or road warior brings thier laptop in and it is infected. Or my favorite, Someone (law clerk) was bringing in Files that her computer at home wouldn't open corectly to see if the work computers could open them because they seem to do more. I guess the idea was to make sure they weren't needed before they got deleted.

      And what of the firewall is a nortan product? or spread VIA email too. Ohh well
  • by HotNeedleOfInquiry ( 598897 ) on Friday May 26, 2006 @02:02AM (#15407810)
    How a company could fsk itself more or harder. First the totally bogas licensing restriction of Ghost, the last good product they made, and now this. Sad.
  • No wai- (Score:2, Funny)

    by RenHoek ( 101570 )
    Protect your computer! Remove your virus scanner! .. hang on.. :) Very sloppy.. It's like the firebrigade trying to save your house with flamethrowers.
    • Re:No wai- (Score:5, Funny)

      by B3ryllium ( 571199 ) on Friday May 26, 2006 @02:15AM (#15407854) Homepage
      Well, they do say that you should fight fire with fire ...
      • Re:No wai- (Score:4, Funny)

        by Nefarious Wheel ( 628136 ) on Friday May 26, 2006 @02:26AM (#15407891) Journal
        Dunno, I find that the cold proc of Blade of Walnan works better for fire elementals in Nadox than Fist of Ixiblat, which is a fire proc.

        Oh, wait...

      • Re:No wai- (Score:2, Insightful)

        by Jesus_666 ( 702802 )
        Fighting fire with fire. Phh. Did that work in Kuwait? No, sir. Real firefighters use explosives to extinguish the fire, which is why our local fire department has completely switched over to C4. It saves a lot of water, too.

        As for NAV... Maybe you could use a special NIC that detects malicious traffic and self-destructs rather than passing the packet to the rest of the system.
    • Re:No wai- (Score:3, Insightful)

      by Alef ( 605149 )
      Actually, I have never (unintentionally) gotten any of my PCs infected with a computer virus, but thrice I have had the system severely broken by the virus scanner (each time a different brand). I have started to think it is a greater risk to have a virus scanner installed than not to have one, at least for me...
    • It's like the firebrigade trying to save your house with flamethrowers.

      If you have flamethrowers big enough, this will work, since they use up all the oxygen and the fire in the house will go out. If you have observed some Steven Segal movies, you've seen the same trick on the oil drilling stuff, that's the easiest way to put something out, remove the oxygen.

      I suppose you should use something that burns at really low temperatures in that flamethrower, otherwise when the natural oxygen from the environment r
  • by christopherfinke ( 608750 ) <chris@efinke.com> on Friday May 26, 2006 @02:02AM (#15407813) Homepage Journal
    "This is definitely wormable. Once exploited, you get a command shell that gives you complete access to the machine."
    Well that's a relief. Who would ever want to use the Windows shell? I'd call that security through, uh, suckurity.
  • by oztiks ( 921504 ) on Friday May 26, 2006 @02:11AM (#15407835)
    They are just calling it an exploit just so they dont get into trouble ;)
  • by Sentri ( 910293 ) on Friday May 26, 2006 @02:12AM (#15407843) Homepage
    That the Antivirus people are the ones putting the virus's out there to keep their businesses running

    *grabs tinfoil hat*
  • by BarryLoper ( 928015 ) on Friday May 26, 2006 @02:13AM (#15407846)

    OK that leaves about every question unanswered.

    At least give us a little bit on how this vulnerability could be exploited other than: This flaw does not require any end user interaction
    • Do I have to browse to a malicious website?
    • Do I have to download an infected file for it to scan?
    • Does it somehow come in on Live Update?
    • What if I have a firewall?

    Throw me a friggin bone here! I'm the user... Need the info...

    I suppose the important part is they got the scoop!

    • by skiflyer ( 716312 ) on Friday May 26, 2006 @02:36AM (#15407922)
      I didn't read this link, but I read it on CNN, and to answer your first two questions no... they very specifically said the real concern here is that a user can be attacked without doing anything.

      As far as #3, the hows were unaddressed.

      #4, it seems that at least several firewall packages block it just fine... but there was no discussion as to whether or not it was something special about the packages mentioned, or if it's just blocking some specific port that makes you safe.
      • by allroy63 ( 571629 ) on Friday May 26, 2006 @05:13AM (#15408269)
        How the exploit functions (a loose theory) 1. It is widely accepted that the Corporate versions of the software are those that are affected. The major difference between the Symantec corporate and home use anti-virus clients is their ability to be managed by a centralized server. From the server environment one can initiate any number of tasks - including a remote installation of the client, remote scans, etc. IIRC this functionality is accomplished through connection to a listening port on the client machine. This would fit the theory of what it is that is so different and that a user needs to do absolutely nothing but have the machine on a network with the Symantec service running. 2. The current CNN coverage located here (http://www.cnn.com/2006/TECH/internet/05/25/antiv irus.flaw.ap/index.html) indicates that home use editions of the software are not affected, "though consumers who are provided Symantec's corporate edition antivirus software by their employers for use at home may be affected." [cnn.com] Many of these same users are also granted secure access to remote servers behind their companies' firewalls... 3. This is a major concern because it means that we're not looking at a situation of massive numbers of zombie bots that are all deployed to do some low level inane task like e-mailing tons of spam to people. It means that the firewalls of the various institutions of power, privilege and profit around the globe who have purchased Symantec's products become functionally useless as employees head home to plug into their non-firewalled-my-cousin-set-it-up-for-me cable or DSL connection at home. It also means that any confidential data stored on those remote machines is more likely to theft. Consider the recent stories in the U.S. media of the theft of a laptop containing thousands of citizens social security numbers. Now magnify that situation by imagining that everyone with access to confidential data on a laptop running Symantec place the laptop on the front porch of their home each night. It will be interesting to see how Symantec handles this. I am hopeful that a LiveUpdate can correct the situation and will be looking into turning off the remote management features on the client machines I manage as a precaution. I don't know that there's a link, but it seems like a fairly plausible source of exploit that is clearly delineated from the home version... 2.
    • The advisory is rather bleak at the moment, so following is pure speculation:

      Past exploits in software firewalls where issues in the packet inspection engine. The engine packs itself infront of the tcpip stack of windows and inspects _every_ packet that goes in or out, regardless of wheter it connects to some port or not. This is done in order to log the packet and to reassure the user with annoying popups that his investment was worth his money.

      Back to antivirus: This thing also scans email. It does this b
  • Older Versions? (Score:3, Insightful)

    by tecker ( 793737 ) on Friday May 26, 2006 @02:14AM (#15407850) Homepage
    I noted that the eEye details [eeye.com] point out this:
    Symantec Antivirus 10.x
    Symantec Client Security 3.x
    (Other Symantec Antivirus products are also potentially affected, waiting for vendor list)

    Question 1: Are norton Consumer level products (Norton/symantec Antivirus 2006 for example) in this list.

    Question 2: Where does this security vulnerability lie? In the scanning engine or in the GUI appliation wrapper or helper dll. This could let us know if the Symantec Antivirus 9 -> 1 are bad.

    Im holding Slashdot to a Slashback on this as this unfolds.

    BTW, any takers on the ammount of time till patch. Clock starts now.
    • Re:Older Versions? (Score:3, Interesting)

      by Amouth ( 879122 )
      i bet June 7th 2006

      jsut because they release updates on wensdays and i don't thing they will have a cert'ed patch ready by wensday as this is a holiday weekend and their customers don't matter to them (at least the ones that could be infected)
  • by Anonymous Coward on Friday May 26, 2006 @02:17AM (#15407858)
    Coverage on http://www.cnn.com/2006/TECH/internet/05/25/antivi rus.flaw.ap/index.html [cnn.com] CNN notes that it appears only the corporate version is affected.

    "eEye said it appeared consumer versions of Symantec's Norton Antivirus software -- sold at retail outlets around the country -- were not vulnerable to the flaw, though consumers who are provided Symantec's corporate edition antivirus software by their employers for use at home may be affected."
    • I'm going to guess wildly here after seeing this only affects corporate, and say that Norton, in their infinite wisdom/paranoia, set up one of those "networked license verification" systems, where a product, once installed, broadcasts on the network to find copies of itself to compare license codes with. It then sets up a listener of its own to listen for other copies broadcasting, hunting for duplicate or too-many-user licenses.

      Then the listener code is bugged and has a hole in it, and now, courtesy of No
  • by DrunkenTerror ( 561616 ) on Friday May 26, 2006 @02:20AM (#15407872) Homepage Journal
  • I've never seen a program cause as many problems as some of these name brand anti-virus programs.. they're worse than having the viruses!!! and they add extra complexity that gives attackers more possibilities for exploitation.

    Keep your patches up to date, or don't connect to the internet...
    Don't open ANY freaking attachments, unless you expect it, and you know where it came from... or don't connect to the network.

    My mom's computer has their security suite? set up on it... it basically just nags her when programs try to do anything... it's nice that it warns about Real Player's nasties... but we all know to unistall that basterd and just use the codec... ... I'm saying stuff that everybody already knew... but nobody cared enough to nuke that company for the good of the world.
    • I find it hard to believe the parent was modded insightful.

      Security isn't easy at best, and the more computers, applications and disparate networks you have to manage the worse it gets. Name for me a software firewall that doesn't require "teaching"? Eventually, you'll install something that will not work until you open the port it needs. The newer swfws will at least popup a quick box asking you if you'd like to permanently allow the connection. I've used zone alarm, tpf, netpeeker, scs and, yes, XP
  • by themysteryman73 ( 771100 ) on Friday May 26, 2006 @02:29AM (#15407901)
    "there are no publicly shared proof-of-concept exploits or other information to suggest an attack is imminent"

    Great, so lets just advertise that it's vulnerable instead of fixing it! How many h4x0rz are going to try to 'sploit this now as opposed to before for a quick ego trip?

    • Let me correct it for you.

      "there are no publicly shared proof-of-concept exploits or other information to suggest an attack is imminent that we know of "

      The best approach to vulnerabilities is to assume by default that the blackhats already know about them and are actively exploiting it, because you can't prove otherwise, so what you need asap is to inform the people about it.
  • This was bound to happen.
  • by Anonymous Coward
    I got the 'Stoned Virus' in 1989. Had another one that I can't remember about 4-5 years ago. Those are the only two virii I have ever gotten.

    I had a bit of a problem a few years ago with SpyWare, first I Installed a IE plugin and then moved to FireFox.

    These 'Security' behemoths are insane. They hog 20%+ of computer resources with their 'real time scanning'. The only time anything needs to be scanned is when it's first comming to your computer. Downloads need to be scanned, that's it! If I download

    • Everything you said is absolutely right... except that only someone with a firm understanding of computers and software would be able to accomplish them. I don't know of many normal people that virus scan every file that first comes into their computer, backs up their MOST important documents, and uses Firefox.

      The fact is that, even as a computer science student, I don't use Firefox always (because I'm currently using Windows), I don't make daily backups because they can sometimes waste a lot of time, and
    • Daily backups are the key. And not Whole Fucking Hard Drive Backups like most insane backup programs want to do. Backup your damn documents and data.

      The problem in Windows is even knowing where your documents and data are stored. Some programs still store settings and documents created under them in their program folder. Without a whole hard drive backup, most non-expert computer users would probably miss some of their important documents and data in their backup.

    • by v1 ( 525388 )
      Daily backups are the key. And not Whole Fucking Hard Drive Backups like most insane backup programs want to do. Backup your damn documents and data.

      It's possible to have the best of both worlds. Use a free app like Rsync and the first run, yes it will be a full backup. Once it has completed that, the next time you run it, it only updates the backup to match the changes you've made to your hard drive recently. In most cases it only needs to move a few megabytes. The compare process takes about 5 minutes
  • tit for tat? (Score:3, Interesting)

    by mysticgoat ( 582871 ) * on Friday May 26, 2006 @02:45AM (#15407943) Homepage Journal

    Recent history:

    1. Symantic files suit against Microsoft with some kind of anticompetitive or abuse of license beef involving Vista.
    2. A day or so later, Symantic announces a zero-day exploit of Word. The malware in the Word document drops the ginwui worm that opens a backdoor and uses rootkit technology to hide itself and its activities. Symantic says that some companies have been victimized by this perhaps for months.
    3. And now a day or so later, a company with close ties to Microsoft announces that a major Symantic product contains a massive security flaw.

    Does anyone else feel that this time line suggests that the last item or two might be part of a hidden agenda? Are we witnessing the start of a FUD throwing contest between two of the industry's major players?

    I am so confused. What web news publishers should I now put my faith in?

  • by Anonymous Coward on Friday May 26, 2006 @02:52AM (#15407960)
    My company has invested in Symantec Antivirus Corporate Edition, and while I do like the centralized management features and the Symantec Antivirus Client's unobtrusive nature, these exploits (and there have been several for version 10 alone) are getting ridiculous. With antivirus on the gateway catching 99.9% of the incoming viruses, and account restrictions for users preventing them from doing any real damage if they do get infected, it seems like Symantec Antivirus serves more as a vector of virus and worm attacks than a layer of protection against them. The fact that we pay thousands of dollars a year for the privilege makes it that much worse.

    Has anyone deployed something other than Symantec Antivirus in a 250 PC company? If so, I'd like to hear your experiences.
    • We run trend officescan in a ~1000 PC corporate network and have only ever had one problem, with a bung pattern file that chewed up 100% cpu - which was fixed within a day or so (affected people world-wide).

      Fairly happy with it.


    • Been running Sophos Anti-Virus in the last two companies I worked for. It's always been far faster and more stable than either McAffee or Symantec's offerings. It's more CPU and memory intensive these days, but that's an unavoidable side-effect of signature scanners and 35MB of RAM isn't excessive on a modern machine.

      The downside is that it's not as user friendly as the others. Sophos only sell to business customers and hence expect it to be installed by a competant sysadmin. Once you've learnt how to m
      • by Splab ( 574204 ) on Friday May 26, 2006 @10:50AM (#15409708)
        Sophos is probably one of the most annoying AV programs I've tried. For some insane reason it has to do it's virus scans each day - and during work hours. You cant dismiss it and it keeps getting focus from windows, that means during the 3-5 minuttes it's scanning I can't do anything.

        (This is on a corporate network, I haven't got anything to do with how/why it's running )
    • NOD32 [eset.com] has awesome corporate anti-virus software. Very lean on memory/cpu resources and the remote admin features are very powerful. I tend to remove Symantec products from pcs where possible, because they are so bloated and resource hungry that they slow the pcs down to a crawl.
    • We also use Symantec Antivirus, actually Client Security with the firewall included. The key is to use a different vendor for each level of protection. Use one vendor's email gateway, another vendor's email server mailbox protection and a third vendor's client protection. As an example, we use Barracuda at the email gateway. It appears to act pretty much like a managed Spam Assassin box. I know Spam Assassin is the way to go but I just don't have the time to manage it. This way we get what appears to be the
  • by Anonymous Coward
    I'm getting tired, keep up with all these holes that need to get fixed to save my employment of a basic pay cheque.

    We need to fix root cause of the problem. Not restore service, but fix it.

    It's time to tackle this problem at the compiler level. Get rid of the various IDE wizards, where the latest summer student can spend 5 minutes building a so called enterprise class application.

    Instead of the next dual core processor, maybe the industry could spend some time on software and get it right.
  • by smash ( 1351 )
    As someone who has witnessed the norton (now symantec) suite go from being a decent bit of software in the DOS days, to the steaming pile of shit that it is now, this does not surprise me in the least :)


  • idiots (Score:3, Funny)

    by chiseen ( 846098 ) on Friday May 26, 2006 @03:22AM (#15408028)
    probably found their own exploit. :P
  • I've almost always convinced people I've helped with spyware and virus problems to just uninstall Symantec AV, as well as McAfee. They are resource hogs and not really very helpful in my experience. It's an easy sell given these people were running the "anti-virus" software before, during, and after they got infected.

    They're better off with two or more good anti-spyware apps, a good firewall, Firefox as the primary browser (I've converted at least a dozen or more people to it), and updated Windows.

  • the site where quite a few people of intellegence read their news daily. Both good and bad, of course.
  • I've been using ClamWinAV for a couple months now. It seems to do as good a job as the commercial products that shipped with my laptops. And it's free... It does not do live scanning (or, I don't think it does), but works perfectly for scanning the computers at night when it will run unnoticed. It may not be perfect for everyone but is great for me.
  • by mlow82 ( 889294 ) on Friday May 26, 2006 @04:51AM (#15408218)
    Avast! [wikipedia.org]
    AVG Anti-Virus [wikipedia.org]
  • Yet another... (Score:3, Insightful)

    by RM6f9 ( 825298 ) * <rwmurker@yahoo.com> on Friday May 26, 2006 @05:27AM (#15408298) Homepage Journal
    reason not to do business with them: When I found out that the consumer versions couldn't even uninstall *themselves* cleanly, I reasoned there was no way they'd be able to remove anything else...

    So, how *do* they manage to stay in business with such a large share of the security market?

    (bustling off to buy put options...)
    • So, how *do* they manage to stay in business with such a large share of the security market?

      Well, my last 2 computers had Symantic pre-installed. Kinda like AOL and Windows.
  • Thank you (Score:2, Funny)

    by kanzels ( 975208 )
    Now I'm happy that my Windows is safe inside vmware and running only twice a month using Linux as host and firewall :)
  • Raise your hands if you really didn't see this coming.

    For one thing, the closed-source nature of the whole anti-malware market is a fertile breeding ground for exactly this sort of problem.

    Fort another thing, if your whole business depends on the very existence and high market penetration of malware, you stand to lose out massively if you actually manage somehow to eliminate it altogether. Symantec et al need the virus writers, the script kiddies, the crackers and the spyware merchants. If it wasn't f
  • by sjonke ( 457707 ) on Friday May 26, 2006 @09:25AM (#15409107) Journal
    This gaping hole is intentional, but it wasn't suppose to be released yet. That was a mistake. It's a new Symantec Anti-Virus feature called "Wide Open Front Door". WOFD opens up many large security holes in your system, with the intention of confusing attackers - when a potential attacker finds a system with so many massive, gaping security flaws, they figure their must not be anything interesting inside because if there were the system would certainly be locked down tight. The potential attacker will figure it's not worth the trouble and attack some other system instead.
  • Symantec has putting out terrible products for years now. In addition to totally devastating the products it buys, it also makes them nearly impossible to remove. I have had to forcefully remove Norton products from many of my clients' systems by using the "forced removal" tools that Symantec provides. Now, I don't know if it's just me, but isn't that a bad sign when a company provides tools (even though the tools are buried in their corporate site) to remove their own products because the product's own uninstall routines fail miserably so often?

    I normally recommend something along the lines of AVG or Avast! to customers after that little experience. People normally learn after their wallet gets hit a few good times for computer repair.
  • by stinky wizzleteats ( 552063 ) on Friday May 26, 2006 @11:48AM (#15410130) Homepage Journal
    That is so ironic it's almost surreal.

    That's like making an operating system that causes a computer not to operate.

    Oh, wait...

Logic is the chastity belt of the mind!