Discussion in 'other security issues & news' started by ronjor, Jan 25, 2012.
Serious/Bad if it has come to this.
Critical flaw discovered in Symantec's pcAnywhere
So strange how we never see patches for antiviruses etc until something drastic like source code leaks or it actually gets exploited. These programs are installed on so many computers I wonder how long before attackers just start going for them instead.
Has Symantec published anything about when/if they intend to patch this?
I see they have a patch for v12.5. We're running 12.0
Patches are on the way for 12.0 and 12.1
Maybe because they were hacked in 2006 and their source code was stolen. Then kept it under wraps
BBC News Technology ~ Symantec advises disabling pcAnywhere software
Symantec: We Didn’t Know in 2006 Source Code Was Stolen - Wired
All those times, over the past 5 years or so, that the hacker community said to people to quit using Symantic products, and were being labeled as haters by fanboys (or company paid mouth pieces), is amazing how they are so vindicated in their warnings.
Symantec saying they are a security company is equivilant to those who purchased their degrees but didn't go through the schooling.
Having source code stolen doesn't put the vulnerabilities there - they were always there. Security programs are big and complex and deal directly with malware, often as a first line of defense. They're prime for exploitation and even often directly hook the kernel/ run with very high privileges. I'm honestly surprised we don't see more security programs being exploited.
Delicious attack surface.
And with the "layered" approach the surface may be larger?
Yes, definitely. When you stack on any software you stack on more vulnerabilities. When you stack on security software you get a lot of vulnerabilities in programs that are doing incredibly dangerous things ie:
1) Directly dealing with malicious code - before any PDF player gets their hands on it or even a pack to the firewall your AV is going to be reading it.
2) Hooking the kernel directly.
And maybe AVs are patching behind the scenes but I don't know of any that has the kind of disclosure we see even in Flash/ Java.
They're all written in C/C++ pretty much and they all do some dangerous actions. I wouldn't be surprised if we saw MSE start to get exploited since it's gaining such market share.
It’s a better idea to disable this product until the firm releases a final set of software updates that resolve currently known vulnerability risks.
Could you elaborate on this? What exactly are you talking about?
I mean how often do you get a security advisory from an AV saying "Hey, we had an exploit so we patched it" ? It doesn't look good for them when they tell everyone they had a vulnerability, people don't realize that AVs are vulnerable so the AV companies aren't going to remind them.
You see Java/ Flash send out patches all of the time (or not quite in Java's case, but at least sometimes) and there's a lot of disclosure it: 'Yes, we had an exploit, we patched it' and they'll even tell you before the patching sometimes if the exploit's in the wild.
I've never seen that for an AV and AVs are really prime to be attacked IMO. They need rights to the entire system, hook the kernel directly most of the time, and deal with malware directly. It's just not as prime as something like Flash/Java because there aren't any standard AVs on 98% of computers - with MSE being released on Win8 and already holding huge market share I won't be surprised when it's exploited.
Maybe you never looked correctly?
And here, for example:
* IS: fixed a vulnerability in aswFw.sys (Secunia Advisory SA40868 )
* solved a vulnerability related to license files (Secunia Advisory SA41109)
Also, AVs pretty much always update themselves automatically and/or reminds users of available updates. Windows itself detects outdated AVs and takes a number of actions to fix them.
Can you find that for an AV that's closed source? I'm legitimately curious.
Those links are all about Avast! Free Antivirus (my choice, lol), which is a closed source AV.
Ah, I see you're right - for some reason I'd thought it was open source. I wonder how common this is though as I don't really see it very often. Often crashes experienced by the user are actually vulnerabilities so "bugs" actually are vulns - easy to label either way.
Either way my point stands - code written in C++ that directly hooks the kernel and directly deals with malicious software.
EDIT: It still seems that there isn't disclosure in the same way. IE: With Microsoft you have CVEs all of the time before exploits are even in the wild or after etc and consistent patches monthly. I just don't see this with AVs so it's either not advertised as much or just not happening.
Woah, Symantec in trouble?
"Symantec drops don't use advice, gives pcAnywhere all-clear" : https://www.computerworld.com/s/art...vice_gives_pcAnywhere_all_clear?taxonomyId=17
So for those in the know. If you apply the latest hotfix shown here from Symantec and those two dll's are patched as well as the one exe, are you now fully patched?
Need to get this taken care of on one of my critical servers here at work tonight.
I'm not in the know, but I believe I would upgrade.