Symantec Antivirus Remotely Exploitable Vulnerability

This is bad – whose defending the defender? eEye security has a bulletin announced that regards a remotely exploitable vulnerability in Symantec Antivirus 10.x and Symantec Client Security 3.x They say other versions MAY be vulnerable they’re waiting for information from Symantec. Now, Symantec is probably the biggest selling antivirus package out there. It looks as though, from Symantec’s advisory, that the Norton Antivirus product line is not affected, ONLY “Symantec Client Security 3.1” and “Symantec Antivirus Corporate Edition 10.1”

They have released IDS updates to try to detect attempted exploits of this….

There do not appear to be exploits in the wild currently for this issue. It sounds like a VERY serious issue and a patch should be coming soon. (No word on when though.) (They are still evaluating other products for this vulnerability.)

Remotely exploitable Antivirus is a BAD thing… Which is why George Ou thinks it’s time to get rid of desktop antivirus…. he does have some decent points, that ANY software that handles files from the outside world can be a weak point. IT IS a good point that antivirus filtering/scanning should be done at the gateway. However, I still have to convince people that they need antivirus even though they just download mail from webmail and the webmail scans for viruses… George says he hasn’t had a problem with a virus on a PC, and that among the “expert users” he knows none of them have either. That’s very good, i’m glad to hear. I’ve seen many users experienced and inexperienced pick up who knows what on the web, with the neat screensaver that so and so… emailed that didn’t seem to do anything, with that neat “game” download… Or, “well I just went looking for lyrics to a **** song…” or… “I just got a highspeed connection last week and things are acting funny…..” Now, maybe I can’t claim to know any experts, myself included… ok fine.

Of course, he is pointing towards Vista and saying that IE will be sandboxed, everyone will be limited-user…. Of course, also in a corporate environment you can have proxy antivirus scanning for mail and web content and even some homes may do likewise, but frankly, MOST homes aren’t NEARLY at the point where they can move the virus scanning entirely to another machine.

YES it’s easily do-able and fairly cheap for someone with a bit of computer experience to setup an antivirus filtering gateway. In fact… with Viralator and squid it would be fairly easy to filter web traffic, add in another component for mail scanning, and that could be a stand alone proxy/scanner for web and mail. What if someone in the network uses IM – I guess Intrusion detection signatures could mitigate that threat, but I’d still be reluctant to say now’s the time to throw it out entirely. I like the idea of “layered defense”. In one particular location that I support they have desktop antivirus and mailserver antivirus (no proxy virus scanning… yet…) The desktop antivirus frankly has not gotten MUCH use as the mailserver antivirus usually picks up and cleans out the problems, however…. I use two different “flavors” of antivirus so that if the updates for one product are a bit slow, the other, hopefully will be able to defend.

Many of the comments to George’s post reflect 2 things…. 1) an impression that he said to get rid of your antivirus (period…) and 2) that the network is NOT the only way bugs can get in…

With regards to 1… that is NOT what he means, he essentially means to move your antivirus off your desktop and to a PC in the network DMZ (out in the wild internet…) I think half of that is a good point and that’s where MOST scanning should be done, however I STRONGLY disagree that desktop antivirus should not be installed. Mainly because of point 2… Most of the time, viruses infect a system because of choices the user makes. *(There are rare situations that it IS beyond their choice, maybe because it’s beyond their expertise…) Visitor at the pc, poor decision, flash card, bluetooth device, wireless card…. how many ways are there that something can STILL get in the system. Vista may make great strides. It does sound like a marked improvement, but It is NOT here. IT is NOT installed on most PC’s. It Will not be widely installed for at least 10-12 months.

Please folks, keep your desktop AV installed and up-to-date. If you want to add perimeter scanning to your home network. There are ways to do so. Maybe we’ll look at some here at some point.

—-update on the Symantec Vulnerability —— 5/27/06 ——

Looks as though I rambled a bit off the specific Symantec vulnerability above…. anyway – it looks as though today:

Symantec has released update patches for the affected products. They appear to be manual download and install only at this point, Hopefully they will be integrated into the liveupdate process (?).

   Send article as PDF   

Similar Posts