Symantec AV may execute viruses

Jeff_Wheeler · February 10, 2005, 6:18pm

I would actually expect LiveUpdate for the home versions to get the update automatically. The corporate edition however does not update the software via LiveUpdate - they figure IT departments would rather control when the software gets updated themselves, but unfortunately in most companies that probably means almost never :\

Also, it doesn't appear that this issue effects the Mac software (at least, I didn't see the Mac products in the Symantec vulnerability list), only Windows products.

Paul6 · February 10, 2005, 6:29pm

if this is a heap overflow and if osx uses a bsd-derived libc (with phy
malloc implementation), the vulnerability would not be exploitable. this
seems like a probable explanation.

-p

Brance_Amussen · February 10, 2005, 6:32pm

Here are the listed Mac products, according to the website
http://www.symantec.com/avcenter/security/Content/2005.02.08.html

Consumer products section..

Symantec Norton Antivirus 2004 for Macintosh
Symantec Norton Internet Security 2004 for Macintosh
Symantec Norton System Works 2004 for Macintosh
Symantec Norton Antivirus 9.0 for Macintosh
Symantec Norton Internet Security for Macintosh 3.0
Symantec Norton System Works for Macintosh 3.0

Also, You can configure in the Systems Center Console for the corporate
edition (server) to download product updates as well..
Now if I can only figure out these version numbers..

Brance :)_S

Chris_Adams3 · February 10, 2005, 6:35pm

Once upon a time, Jeff Wheeler <jwheeler@usip.org> said:

Also, it doesn't appear that this issue effects the Mac software (at
least, I didn't see the Mac products in the Symantec vulnerability
list), only Windows products.

It isn't Windows only; the Solaris versions of Brightmail are affected.

Jeff_Wheeler · February 10, 2005, 7:23pm

Oh, wow, I see how I missed that - I had already scrolled half way down the page and was looking at the Consumer Products section under "Non-Vulnerable Products"... woops

Looking at it more closely, they are saying the same thing twice:

Affected Product - only affected prior to build x.y.z
and then
Non-Vulnerable Product - only non-vulnerable starting with build x.y.z

jpayne · February 10, 2005, 7:38pm

I got a new antivirus base for OS/X via liveupdate at approximately 11:45 EST today

Dragos_Ruiu · February 10, 2005, 8:01pm

Neil Mehta & Alex Wheeler from ISS who identified this and a number
of other AV issues will be doing a presentation on it entitled, "Owning
Antii-Virus" at CanSecWest.

cheers,
--dr

Dragos_Ruiu · February 10, 2005, 8:46pm

P.s. To not pick on any one vendor exclusively, it's not just Symantec
that has issues... I know that an F-Secure advisory has now been
released too... and who knows, as an educated guess, I'd bet
there probably will be others coming... Allocating some IT
schedule to AV updates/verification seems prudent.

Brance_Amussen · February 10, 2005, 8:57pm

Too true, as soon as the updates are available.. Still haven't seen one from
Symantec (anyone else out there seen one yet??), maybe F-Secure will be
faster..

Brance :)_S