Should we be surprised at this?: Company: Hackers can crack top antivirus program

[genXer]

Credit - CNN who credits the AP who credits eEye - I can't get no credit or satisfaction :

WASHINGTON (AP) -- Symantec Corp.'s leading antivirus software, which protects some of the world's largest corporations and U.S. government agencies, suffers from a flaw that lets hackers seize control of computers to steal sensitive data, delete files or implant malicious programs, researchers said Thursday.

Link: http://www.cnn.com/2006/TECH/interne....ap/index.html

From eEye:

Date Reported:
May 24, 2006

Vendor:
Symantec

Description:
A remotely exploitable vulnerability exists within the Symantec Antivirus program. This flaw does not require any end user interaction for exploitation and can compromise affected systems, allowing for the execution of malicious code with SYSTEM level access.

Severity:
High (Remote Code Execution)

Remote Code Execution:
Yes

Software Affected:
Symantec Antivirus 10.x
(Other Symantec AntiVirus products are also potentially affected, waiting for vendor list)

Status:
Initial report stage

Source: http://www.eeye.com/html/research/up.../20060524.html

For those with Symantec, and this is a "just-in-case" thing, what would work to replace Symantec on an enterprise level - say 30-50,000 workstations and > 5,000 MS servers? "Buelller?, Bueller?, Bueller?"

[nihil]

Hmmmm,

Is it surprising? well I guess the answer is "yes and no"

Yes, because you would expect security product vendors to be more diligent.

No, because of the nature of the product. It updates continuously, it is intended for networks and easy updating across networks and it runs with elevated privileges. In that respect I would not have thought that Symantec was any different from other enterprise level security suites?

For those with Symantec, and this is a "just-in-case" thing, what would work to replace Symantec on an enterprise level - say 30-50,000 workstations and > 5,000 MS servers?

The obvious is NAI's McAfee, but there are other enterprise level products out there.

I would take the view that the number of instances is not that relevant because they are discrete One destop does not know what is on another. The issue would only be one of efficiency when you are having to update from a central source? And, of course, the actual product performance, which is a question of quality rather than quantity.

[brokencrow]

It's certainly not a "first".

Anybody's who's had to remove viruses the last few years is aware how often AV apps are disabled by viruses and even spyware.

[genXer]

just in the small chance you have not seen this yet... it's wake-up time!

Updates

Symantec : http://www.symantec.com/avcenter/sec...006.05.25.html

SYM06-010
May 25, 2006
Symantec Client Security and Symantec AntiVirus Elevation of Privilege
Revision History
May 26, 2006 - Updated Products Affected section and other details
May 27, 2006 - Updated Products Affected section with update info
- Updated Unaffected Products section
May 30, 2006 - Added CVE identifier
- Updated Products Affected section with update information


Impact
High

Remote Yes
Local Yes
Authentication Required No
Exploit publicly available No


Overview
A stack overflow in Symantec Client Security and Symantec AntiVirus Corporate Edition could potentially allow a remote or local attacker to execute code on the affected machine.

Symantec also has a page to assist with the patching: http://service1.symantec.com/SUPPORT...06052609181248

ISC : http://isc.sans.org/diary.php?storyid=13 68

and another from ISC: http://isc.sans.org/diary.php?storyid=1372

enjoy!

[Guan-Di]

just in the small chance you have not seen this yet... it's wake-up time!

do you not think that everyone at this site does not already know this? i think you need to wake up! this is worthless.

[IKnowNot]

As quoted by member Guan-Di:

do you not think that everyone at this site does not already know this? i think you need to wake up! this is worthless.

WTF, you arrogant ****!

This topic has world-wide implications, and may not have been seen by everyone. I for one was on a sabbatical with my wife for several days and did not initially see this.

Bumping up the thread by including an update to the original thread is anything but worthless; in fact, it is the act of a responsible individual, dedicated and committed to making cyberspace a better, safer place to be.

[nihil]

IKnowNot is quite correct. You don't see all these things, there are just too many these days and if you don't happen to be using a particular application or service, you may not be monitoring it too closely.

Similarly, it is useful to know when the patch is available.

I am sure that many of us are subscribed to a variety of security alerting sites and newletters. However, I would rather be warned five times than not warned at all

[MURACU]

Couldn't agree more. Depending on the week, the amount of work i have planned and the number of alerts it is all too easy to miss things that maybe important. Had it happen with a microsoft security update and compaq smart array firmware. Fun weekend trying to get things back up and running.

[Goitz]

... in addition, some users tend to be too complacent when they get too comfortable with their AVs or even their firewalls that they think their computer systems are invulnerable (not!).

There have been discussions about Symantec's NAV being a resource hog... now this... and further, parallel comparisons with Microsoft about being a practical monolith (dominant maybe but not the behemoth that others would want to project).

A jolt such as this identified vulnerability is a constant reminder that user security is a 24/7 concern.

[DjM]

Has anyone had any issues or surprises with installing the point patch for this? I just don't want to bring my enterpirse anit-virus systems to a grinding halt.

Thanks

Cheers: