Results 1 to 6 of 6

Thread: ** Heads Up ** Symantec - Ooops

  1. #1
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197

    ** Heads Up ** Symantec - Ooops

    Received today on Bugtraq:-

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Title: Symantec Security Check ActiveX Buffer Overflow

    Date: Monday, June 23, 2003 09:15:19 PM
    Threat: Moderate
    Impact: System Access
    Product: Symantec Security Check

    Situation Overview:
    Symantec Security Check is a free web-based tool that enables users to test their computer's exposure to a wide range of on-line threats. As part of running the check, users may install an ActiveX Control which remains on the user's system even after the check has completed.

    The current ActiveX Control - which can be named Symantec RuFSI Utility Class or Symantec RuFSI Registry Information Class - contains a buffer overflow exploit. The buffer overflow can be exploited when the user with this ActiveX Control visits a malicious website intent on exploiting this vulnerability. The exploit can cause Internet Explorer to crash and/or the execution of arbitrary code on the user's computer.

    Symantec has replaced the current ActiveX Control on the Symantec Security Check website so that new visitors will not be affected by the exploit.

    Recent visitors to Symantec Security Check should revisit the site and run a new Security Scan. By running a new scan, the previous ActiveX Control will be replaced by an updated ActiveX Control that fixes the buffer overflow condition.

    Advanced users can attempt to delete the ActiveX Control by rebooting and then going into the system folder: %SystemRoot%\Downloaded Program Files\ and delete "rufsi.dll". This must be done by using the command prompt and the user must not be on the Symantec Security Check site at the time.

    Statement:
    Symantec was made aware of Symantec Security Check's ActiveX buffer overflow vulnerability today through a public posting on the Internet. Since hearing of the exploit Symantec has worked diligently to replace the ActiveX Control on Symantec Security Check. Through Symantec's customer support, we are working with users who may have downloaded the exploited ActiveX Control to remove it from their systems. Although Symantec Security Check is available to both PC and Mac users, this issue only affects PCs.

    Symantec Vulnerability Response Process:
    Symantec is a strong supporter of responsible disclosure. It is our goal to establish a working relationship with researchers who discover vulnerabilities in Symantec products and to develop, test and make available updates prior to there being publicly disclosed. It is ours as well as much of the security communities belief that premature disclosure can pose a serious threat to the internet. Such disclosure should be discouraged.

    Symantec Security

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 7.0

    iQA/AwUBPviB3hMwEkwA14VxEQJ7WgCdHlF3E6/id/tJc0EJBejLq75E2QMAoJIY
    Xl3JfZOIT/LXoB8GnqznO3iS
    =j4U8
    -----END PGP SIGNATURE-----
    If you used this service recently - go and use it again to fix their problem.......
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  2. #2
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628
    That precious. It reminds me of when those guys spoofed the DNS name for Symantec's autoupdate service and infected a bunch of people.

    Lesson learned?
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  3. #3
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Yeah.... I remember that one..... another gem....LOL
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  4. #4
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    LOL,

    Just as I was typing this I saw an e-mail on BugTraq about exactly what I was thinking...

    If these ActiveX controls are digitally signed, getting the new control may not be enough to solve the issue.

    Here is a copy of the e-mail from the guy who took the words right out of my mouth: FROM BUGTRAQ

    1) Does this ActiveX control bear a digital signature? If so, the problem it causes does not go away simply because there is a new version available from Symantec. An attacker in possession of the bad code with its attached digital signature can fool a victim whose computer does not currently have the vulnerable code installed into trusting the ActiveX control due to the fact that Symantec's digital signature will validate against the trusted root CA certificate present by default in Windows -- the existence of the digital signature on the bad code effectively transfers ownership of millions of other people's computers to anyone who should become interested in attacking those computers; it is extremely important that Symantec take further action above and beyond compiling a new version of the affected code because of the ongoing threat posed for the duration of the validity of the digital signature.

    2) Symantec must have known in advance of this discovery and disclosure that ActiveX was inherently insecure and that the whole system of digital signatures and third-party PKI advanced by Microsoft was flawed beyond repair, yet Symantec chose to put the computing public at risk anyway -- how can Symantec claim that disclosure is a serious threat that should be discouraged while Symantec knowingly engages in business behavior that the security community knows to be unsafe? If Symantec's products were designed with security as the highest priority, they would be open source and they would avoid using any technique such as ActiveX controls and digitally signed code that has been proven to be impossible to manage securely.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  5. #5
    why do these posts scare me so bad? lol. man how many people never read things like this and trust these corporations with thier box? its crasy to think of the thousands infected or destroyed. is it supply and demand though? i supply the virii and you provide the cure? it all comes down to big bucks. if you were not infected would symantec even exsist?

  6. #6
    Senior Member
    Join Date
    Jan 2003
    Posts
    686
    Yeah but who can you trust if you can't even trust that you are connecting to your AntiVirus software's host server? Or that they kind of overlooked something and actually were infecting people with an exploit? Things like this happen, the sad fact is most of the people who get infected or just the typical users who don't know any better. Heck I would probably even overlook something "harmful" coming from Symantec's site, wouldn't you?

    There is a need for the software because there will always be the "dark side" of computer users. Just like we will always have something or other JUST INCASE. That is the way it is with anything though.

    Symantec is run by humans, just like M$, and all the other companies. Some places just have crazy people running around and trying to make the big buck *cough*M$*cough*, but other places are out there to help aid against attackers, which is what Symantec is there for. I don't think they are after the big buck, but that's my oppinion.

    In closing I think it all comes down to the education of the typical user and for seeing "problems" appearing like this. When it comes down to it, the user sitting behide the screen is the one who has to take care of themself, and hopefully know about stuff like the digital sig and what not to protect themself. But even the most advanced user is still going to have AV software and probably trust that they are connecting into the host server to download updates, no viruses, and also that they are not downloading an ActiveX controller that is going to bring them an exploit rather than peace of mind.

    Though as usual, just a thought...
    ~AciD
    [shadow]There is no right and wrong, only fun and boring...
    Formatting my server because someone hacked into it sounds pretty boring to me...
    That\'s why it\'s all about AntiOnline.com!
    [/shadow]

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •