Symantec AntiVirus Hole Found

Hotwater Mountain writes "eWeek has a story about a gaping security flaw in the latest versions of Symantec's anti-virus software suite that could put millions of users at risk of a debilitating worm attack. According to eEye Digital Security, the company that discovered the flaw, the vulnerability could be exploited by remote hackers to take complete control of the target machine 'without any user action.'"

Details?

[SomeGuyFromCA]

Is it server-side or client-side? Is it push or pull?

If it affects the install on the clients, but needs to get access to them, I wave my paw and say "bah."

If, on the other hand, it can attack the server...

Well, then again, everything should be behind a firewall anyway, with only needed ports forwarded.

I mean that's just common sense...

what a joke they are

[deglr6328]

Why does anyone even use thier products at all anymore? Three little letters: A V G. after removing symantec's bloatcrap and installing AVG free its practically equivalent to gaining ~.5 GHz.

Throw me a friggin bone!

[BarryLoper]

OK that leaves about every question unanswered.

At least give us a little bit on how this vulnerability could be exploited other than: This flaw does not require any end user interaction

• Do I have to browse to a malicious website?
• Do I have to download an infected file for it to scan?
• Does it somehow come in on Live Update?
• What if I have a firewall?

Throw me a friggin bone here! I'm the user... Need the info...

I suppose the important part is they got the scoop!

It depends

[smvp6459]

I'm not a Symantec fanboy but Symantec Antivirus (SAV) - the enterprise version - is pretty lean. As for Norton Antivirus or whatever they call it now...I couldn't agree more with your estimation of its bloatedness.

Older Versions?

[tecker]

I noted that the eEye details [eeye.com] point out this:

Symantec Antivirus 10.x
Symantec Client Security 3.x
(Other Symantec Antivirus products are also potentially affected, waiting for vendor list)

Question 1: Are norton Consumer level products (Norton/symantec Antivirus 2006 for example) in this list.

Question 2: Where does this security vulnerability lie? In the scanning engine or in the GUI appliation wrapper or helper dll. This could let us know if the Symantec Antivirus 9 -> 1 are bad.

Im holding Slashdot to a Slashback on this as this unfolds.

BTW, any takers on the ammount of time till patch. Clock starts now.

Re:It's hard to imagine....

[Anonymous Coward]

Symantec hasn't actually ever made a good product. They BUY good products and then drive them into the ground. Ghost was just the last of the Norton suite of products that they got arround to breaking.

Actually as far as I can tell Symantec hasn't actually ever made a product at all. I'm sure they must have once, how else did they ever get the money to buy Norton in the first place (venture capital I guess), but every Symantec product I can think of was originally aquired from someone else.

I'd find it very hard to imagine a company that has done nothing but destroy every piece of intelectual property it aquires and continues to make money. Unfortunately I've seen it...

DUH! we've been calling it Norton Virus for years!

[aaron_pet]

I've never seen a program cause as many problems as some of these name brand anti-virus programs.. they're worse than having the viruses!!! and they add extra complexity that gives attackers more possibilities for exploitation.

Keep your patches up to date, or don't connect to the internet...
Don't open ANY freaking attachments, unless you expect it, and you know where it came from... or don't connect to the network.

My mom's computer has their security suite? set up on it... it basically just nags her when programs try to do anything... it's nice that it warns about Real Player's nasties... but we all know to unistall that basterd and just use the codec... ... I'm saying stuff that everybody already knew... but nobody cared enough to nuke that company for the good of the world.

no proof of concept yet?

[themysteryman73]

"there are no publicly shared proof-of-concept exploits or other information to suggest an attack is imminent"

Great, so lets just advertise that it's vulnerable instead of fixing it! How many h4x0rz are going to try to 'sploit this now as opposed to before for a quick ego trip?

Re:what a joke they are

[Anonymous Coward]

People use Norton Antivirus for it's virus detections. People use AVG because it's free. When it comes to detecting viruses, AVG doesn't compare to Norton.

Re:That saves time!

[Anonymous Coward]

Yep, say something utterly stupid about Symantec and you're a jerk and a troll. But do the exact same about MS you're +1.0E+100 Insightful Funny Coolest Guy Evar. So you see, you only made two mistakes:

1. Failed to understand the masses of drooling idiots and full-blown wackos that make up the vast majority here
2. Simply posted in the wrong discussion

Know thy peers, for they are as predictable and easily played as they are moronic and irrational.

Re:what a joke they are

[Mistshadow2k4]

Pure, unadulterated BS. I've used both and Nortons absolutely sucks compared to AVG. With Norton's my computer got so badly infected that I had to reinstall the OS two different times. Installed AVG and never had that problem again. Did I download anything that had the virus in it? No! Both times the viruses downlaoded themselves straight into my computer from the internet -- which means Norton's firewall didn't do anything to stop them. On top of this, one time I uninstalled it in order to reinstall it and I couldn't boot Windows afterward.

Nevertheless, I think Avast! is the best antivirus, but I've heard a great deal of good aobut NOD32 and Kaspersky's. Any of them beat Norton's. Hell, as bad as Norton's can screw up your computer no antivirus is sometimes better. I don't know how many times I had to reinstall it because it started screwing up or just didn't install right in the first place. All of that applies equally to McAffee too.

I don't know what the deal is here with you and whoever is modding anything critical of Symantec as "flamebait" and your BS as insightful, but you can't quit with the outright lying. You've both made yourselves as transparent as freshly-cleaned glass. Normally, I'd think someone who made such an accusation was paranoid, but that's how blindlingly obvious you guys have been. And the thread is still young. Too bad the people running this site aren't involved enough to care anymore.

Re:Who has heard that conspiracy theory

[Half a dent]

Who HASN'T heard that conspiracy theory? No really I'm interested, I might even get a grant for a study.

Re:No wai-

[Jesus_666]

Fighting fire with fire. Phh. Did that work in Kuwait? No, sir. Real firefighters use explosives to extinguish the fire, which is why our local fire department has completely switched over to C4. It saves a lot of water, too.

As for NAV... Maybe you could use a special NIC that detects malicious traffic and self-destructs rather than passing the packet to the rest of the system.

Re:It's hard to imagine....

[bm5k]

I'd find it very hard to imagine a company that has done nothing but destroy every piece of intelectual property it aquires and continues to make money.

Why? AOL's been doing it for YEARS. Remember ICQ? Winamp? Need I say more?

Yet another...

[RM6f9]

reason not to do business with them: When I found out that the consumer versions couldn't even uninstall *themselves* cleanly, I reasoned there was no way they'd be able to remove anything else...

So, how *do* they manage to stay in business with such a large share of the security market?

(bustling off to buy put options...)

Re:No wai-

[Alef]

Actually, I have never (unintentionally) gotten any of my PCs infected with a computer virus, but thrice I have had the system severely broken by the virus scanner (each time a different brand). I have started to think it is a greater risk to have a virus scanner installed than not to have one, at least for me...

Re:Was it a buffer overflow? or a bad pointer?

[Anonymous Coward]

Until people like you learn how to code.

Sadly, morons who can't figure out how to check buffer length and pointer cromulence is what the industry really has to 'put up with'.

Re:AntiVirus is for Newbs

[IHateChoosingAName]

Daily backups are the key. And not Whole Fucking Hard Drive Backups like most insane backup programs want to do. Backup your damn documents and data.

The problem in Windows is even knowing where your documents and data are stored. Some programs still store settings and documents created under them in their program folder. Without a whole hard drive backup, most non-expert computer users would probably miss some of their important documents and data in their backup.

Re:what a joke they are

[Himring]

Well, in our case we tried hard to replace symantec's enterprise av, but nothing could fit our network as well. The main selling point is that the SAV console works for us. We have 100s of sites across the country on every imaginable type of connection, and each and every other AV "enterprise" suite fell on its face -- except Symantec's. We really, REALLY, wanted trendmicro's officescan product to work. It is, by far (IMO), one of the best admin-centric AV tools out there, but it, too, could not handle our disparate network.

There's more to AV than your home computer. Managing 1000s of machines across the country takes more than the tinyest AV program you can stick on one computer. Our needs are first and foremost having an AV install on each system, with good virus defs, and that we can actually manage remotely. SAV is still the best for that in our opinion....

Re:AntiVirus is for Newbs

[v1]

Daily backups are the key. And not Whole Fucking Hard Drive Backups like most insane backup programs want to do. Backup your damn documents and data.

It's possible to have the best of both worlds. Use a free app like Rsync and the first run, yes it will be a full backup. Once it has completed that, the next time you run it, it only updates the backup to match the changes you've made to your hard drive recently. In most cases it only needs to move a few megabytes. The compare process takes about 5 minutes for a 160gb HD, and in most cases the sync that occurs afterward takes about 2 minutes. No catalog sets, no databases to get corrupt or need reindexing. (retrospect comes to mind immediately...) Fast, effortlessly networked, and yet works as a full backup for very easy restores.

I rsync my flash drive (4gb) to my laptop (160gb), and my laptop to my server. It's very comforting knowing my laptop's HD is fully backed up at least weekly, as my life is on there. ;)

Re:Alternatives to Symantec Antivirus?

[Splab]

Sophos is probably one of the most annoying AV programs I've tried. For some insane reason it has to do it's virus scans each day - and during work hours. You cant dismiss it and it keeps getting focus from windows, that means during the 3-5 minuttes it's scanning I can't do anything.

(This is on a corporate network, I haven't got anything to do with how/why it's running )

Re:It depends

[kwalker]

Except that SAV 9 is vulnerable to a buffer overflow attack [symantec.com] that forced my company to upgrade to SAV 10.