Symantec under fire for bugs, flaws

[InfoSec News <isn () c4i org>]

http://www.nwfusion.com/news/2003/0625symtecflaw.html

By Paul Roberts
IDG News Service
06/25/03

It's shaping up to be a bad week for antivirus software company
Symantec after researchers raised alarms about security holes and
buggy code in two of the company's products.

On Monday, Symantec acknowledged a report about a serious security
flaw in Symantec Security Check, a free online service that enables
users to scan their computer's vulnerability to a number of security
threats.

According to a message posted in the online discussion group
Full-Disclosure on Sunday, an ActiveX control installed by the
Security Check service contains a buffer overflow vulnerability that
could enable a remote attacker to crash or run malicious code on
systems that had the control installed.

The control, named "Symantec RuFSI Utility Class" or "Symantec RuFSI
Registry Information Class," is used to run the security check, but
remains on systems after the scan is complete, according to a
statement from Symantec.

After learning of the security hole on Monday, Symantec updated the
ActiveX control in the Security Check service. Individuals that
re-scanned their systems would receive the updated control.

Symantec also provided instructions on updating the control or
removing it from affected systems.

However, security researchers monitoring the issue noted that simply
updating the control still left users vulnerable to attack, especially
if that control contains Symantec's digital signature.

Attackers who have a copy of the flawed ActiveX code with a valid
digital signature could trick Microsoft Windows systems into accepting
the control, opening that system to attack even if it did not already
have the faulty component installed, according to a notice posted to
Full-Disclosure by Jason Coombs, a software security expert in Kea'au,
Hawaii.

Symantec acknowledged that the new control uses the same digital
signature as the flawed one and is "looking into" that issue,
according to Anson Lee, product manager for Norton Internet Security
at Symantec.

In the meantime, the company is encouraging Internet users to apply
so-called "best practices" when prompted to download an ActiveX
control.

Best practices include scrutinizing the signature of ActiveX
components before agreeing to download them, Lee said.

Users should be suspicious when third party Web sites ask you to
download an ActiveX component signed by Symantec, according to Vincent
Weafer, senior director of Symantec Security Response.

In the meantime, the flawed ActiveX control from the Security Check
service could be an attractive target for hackers.

Symantec estimates that more than 30 million individuals visited the
Symantec Security Check site since its inception, Lee said.

The company does not know how many of those users actually scanned
their system, nor does it have any way to contact users who did, he
said.

Symantec is in the process of creating a tool to help remove the
ActiveX control from affected machines. A team at the company is also
investigating ways to nullify the faulty control, but could not
comment on any progress in that search, Lee said.

Symantec also found itself in hot water on Monday after customers
using Symantec AntiVirus Corporate Edition reported that an automated
antivirus definition update from the security company caused the
antivirus software to fail. The problem was disclosed in the NTBugtraq
discussion list on Monday.

The problem stemmed from a faulty antivirus "microdefinition update"  
distributed on June 19, according to Russ Cooper, NTBugtraq moderator
and surgeon general of TruSecure.

Microdefinition updates are a new feature with Version 8 of the
Symantec AntiVirus Corporate Edition that enable systems running the
software to download small, incremental antivirus definition updates
rather than large, comprehensive definition update files, Cooper said.

Symantec's antivirus software would not start on desktop systems that
installed the faulty update, leaving some customers without antivirus
protection on desktops and servers running the software.

The flaw affected a Symantec antivirus service called the "realtime
scanner" that runs in the background while users work and monitors
files and other resources for viruses, according to Weafer.

A second service, the "on-demand" scanner was not affected by the
problem, he said.

Cooper received confirmation of the problem from at least 30
companies. "Thousands" of systems running the software were affected,
he said.

Symantec put the number of affected customers at fewer than 40
worldwide, according to Vincent Weafer.

"It's a very focused group of people using a special type of
deployment," he said.

A Symantec knowledge base document created June 20 and updated on
Monday acknowledged the existence of the faulty update and provided
instructions on repairing systems that downloaded the faulty update.

Customers affected by the bad antivirus update should remove it from
"parent" distribution servers and desktops on their network before
obtaining and loading the valid definition update file on the
distribution servers, which will then distribute the file to affected
desktops.

Downloading and deploying a full antivirus definition update would
"flush" the flawed incremental update from systems on which it was
installed. Symantec also released a tool to help administrators
automatically restart the realtime scanner on systems affected by the
vulnerability, Weafer said.

Antivirus Corporate Edition version 8 systems that downloaded a full
definition update (.vdb) file or that acquired virus updates using
Symantec's LiveUpdate or Intelligent Updater services are not
affected, Symantec said.

The company has not received reports of more customers affected by the
problem, but is still working with some customers to refresh machines
affected by the bad definition update and restart services on those
machines, Weafer said.

The problems are just the latest examples of problems introduced by
antivirus companies.

In May, Trend Micro was forced to issue a fix for an embarrassing
snafu caused by an update to the eManager e-mail security product that
blocked all e-mail containing the letter 'P.'

The problem stems from popular "auto-update" features that
automatically distribute virus definitions and software updates to
remote systems, Cooper said.

Such mechanisms frequently lack features to verify that such updates
are properly installed on the systems that receive them, or to roll
back faulty updates in the event that problems are introduced, he
said.

Antivirus companies also frequently use the update features to
silently distribute software patches to their customers, Cooper said.

As currently implemented, such systems can easily and quickly
distribute buggy or vulnerable code to thousands of systems, he said.

"Here we have Symantec attacking their own customers with a flaw. So
we don't have to worry about the bad guys doing it. Symantec is doing
it for them," Cooper said.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.