There’s a workable attack vector out there that can be used to penetrate systems using Symantec anti-virus software.


We all depend on security software to protect our office systems
these days and no business is more in the forefront of protecting companies and
government agencies than Symantec. That’s why when some vulnerability is
discovered in the giant security vendor’s products, it’s such a critical issue.

Unfortunately eEye Digital Security Inc. has discovered a workable
attack vector which can be used to penetrate systems using Symantec anti-virus
software and take control of the computers.

Symantec has confirmed that the Norton AV software found on
many home and small business or home office systems is NOT vulnerable to this

Because they are a responsible, professional security firm, eEye doesn’t publish details of exploits or even a detailed
advisory until the vendor has time to make changes.

The eEye note on this new Symantec
vulnerability was marked an “upcoming
” at the writing this report but it may have been updated since.

Initially eEye simply stated that
it has demonstrated an exploitable flaw in Symantec Antivirus 10.x and Symantec
Client Security 3.x, a vulnerability that can be used by a remote attacker to
run arbitrary code with system level access–in other words, take complete
control of the system.

While this is a critical threat, there aren’t enough details
yet to know how to mitigate the threat and there is little you can do except to
remain vigilant and watch for a patch/fix from Symantec.

Final word

This sort of event demonstrates just how much we depend on
other companies’ ability to protect our systems and what that dependence can
lead to.

Personally, I always emphasize to my clients that the first
and very best security consists of regular and repeated memos and meetings
explaining the basics of security with EVERYONE in the company who has access
to a networked computer on the mailing list and in one of the meetings.

This includes secretaries, clerical workers, even
executives. Keep hammering away that visiting untrusted
Web sites, doing personal business on company computers, and, especially,
opening e-mails from strangers or opening ANY attachment which you aren’t
expecting even from a trusted source, can cause severe financial damage to the
company and may be considered sufficient reason for immediate termination, EVEN

We wouldn’t let just anyone in the office fly a company
airplane, drive a delivery truck, or service the HVAC system, but we let
everyone use computers and then throw up our hands in frustration when they
fail to follow secure procedures.

Not every threat can be mitigated by following strict Internet
and e-mail best practices, but that would block MOST threats, even when security
software fails.

I also have a few comments on Microsoft OneCare
which just went on sale this week. Perhaps MS made a tactical error when it
decided that people who went to the site using Firefox
instead of IE were not going to be able to spend money there. When I tried, I
got “Error 1123” (unsupported browser). I can understand not wanting to give
things away free to people who use Firefox, but to
refuse to even sell them something! If it won’t work without IE on your system
then let people know on the first page!

Also, I surfed through about a dozen pages on the site and
was never able to locate an actual price. I suppose they would have told me
what it cost if I had gone through the entire registration process, but I
decided to pass. I never trust any product when the company hides the price.
The best I could do was look at a February
7, 2006 press release
which quoted an upgrade for beta users at $19.95 and listed
new customer price at $49.95, but that is six months old and may have changed.

I’m sure Microsoft has the price posted someplace, I just
got tired of looking. (Ironically, I recently posted a blog note about how
Microsoft just doesn’t know how to deal with Web users.

I seem to recall that the current estimate of time an
experienced Web user will waste looking at a Web site that doesn’t show them
basic information is about 30 seconds.

Also watch for…

  • Secunia reports a hotfix is
    available for version 6.40 of F-secure AV for Microsoft Exchange. That program
    and F-Secure Internet Gatekeeper (there is a fix for that also) have moderately
    remote denial of service vulnerabilities.
  • Students with
    outstanding loans may have another problem. According
    to SecurityProNews
    , Texas Guaranteed Student Loan
    Corp. says that the names and social security numbers of 1.3 million customers
    has disappeared. Fortunately, unlike the Veteran’s Administration, Texas
    Guaranteed says that their files were encrypted. Unfortunately, they were sent
    on a piece of hardware (probably a hard drive but nobody is saying) to a
    third-party which promptly decrypted the files and lost them. They may or may
    not still be encrypted in another form.
  • Windows Live OneCare
    AV, Anti-spyware, backup, and firewall, is now
    available. You can try it free for 90 days