eEye
EEYEB-20060524
Vendor: Symantec
Severity: High (Remote Code Execution)
Date Reported: May 24, 2006
ZDNet
May 25, 2006
Remote Exploit in Norton Anti-Virus Puts 200 Million at Risk
Posted by Richard Stiennon
eEye Digital Security is reporting that they have uncovered a major vulnerability in Symantec’s AV product. Basically it will allow a remote hacker to compromise any machine that is running Norton Anti-Virus. This is a big oops. Symantec will have to scramble to get an update pushed out to all of their customers. I would imagine they can do this before an exploit is developed that allows wide spread use of the vulnerability or a worm to spread.
The Register
eEye, eEye, D’oh
By Joe Fay
Published Friday 26th May 2006 15:03 GMT
Symantec disclosed this week that researchers have discovered a software vulnerability that could allow hackers to take remote control of a PC and that it is working to verify the hole and provide a patch.
And the software in question? Symantec’s AntiVirus Corporate Edition 10.x. Oops.
SYM06-010
May 25, 2006
Symantec Client Security and Symantec AntiVirus Elevation of PrivilegeRevision History
May 26, 2006 - Updated Products Affected section and other details
Update:
SANS Internet Storm Center
Handler’s Diary May 27th 2006
Symantec Patch Posted
Published: 2006-05-27,
Last Updated: 2006-05-27 20:01:00 UTC by Deborah Hale (Version: 1)
Symantec has just posted patches for the Security Advisory SYM06-010. It appears at this time that the patches are manual download and install. We don’t know at this point if a product live update will be posted for these patches but for the meantime it is there for manual load.
So for those of you enjoying the long weekend, look at what you get to look forward to on Tuesday. If you are running Symantec Corporate Edition 10.1 you get to spend Tuesday patching.
Handler’s Diary May 29th 2006
Symantec AV Vulnerability Latest
Published: 2006-05-29
Last Updated: 2006-05-29 21:21:41 UTC by Kevin Liston (Version: 2)
Symantec has updated their advisory
They confirm that the following versions are affected:
Symantec Client Security-
3.0 all builds
3.1 all builds
Symantec Antivirus Corporate Edition-
10.0 all builds
10.1 all buildsThe following patches are available:
Symantec Client Security-
3.0 Builds 3.0.2.2010 and 3.0.2.2020
3.1 Builds 3.1.0.394 and 3.1.0.400Symantec Antivirus Corporate Edition-
10.0 Builds 10.0.2.2010 and 10.0.2.2020
10.1 Builds 10.1.0.394 and 10.1.0.400Symantec recommends that you upgrade to a “patchable” version. This may be bad news for some organizations.
Some have reported that the patching process is not trivial, and can be difficult to roll out in some environments.
At this time, there have been no reports of proof-of-concept-code or exploit code other than that held privately by eEye.
We have not received any reports of exploitation in the wild.
Handler’s Diary May 31st 2006
More on Symantec vulnerabilities
Published: 2006-05-31,
Last Updated: 2006-05-31 01:21:02 UTC by Bojan Zdrnja (Version: 1)
The latest patches from Symantec are causing quite a bit of confusion. To reiterate again what Kevin wrote in his diary (http://isc.sans.org/diary.php?storyid=1368):
*ALL* versions of 10.0.x and 10.1.x of Symantec Antivirus Corporate Edition and 3.0.x and 3.1.x of Symantec Client Security seem to be vulnerable.
Symantec Antivirus Corporate Edition version 8.x and 9.x seem to be ok.Symantec released 4 patches for each product (http://www.symantec.com/avcenter/security/Content/2006.05.25.html):
Symantec Antivirus Corporate Edition
10.1.0.394 -> 10.1.0.396 (there’s a typo here on their web, it’s not version 3)
10.1.0.400 -> 10.1.0.401
10.0.2.2010 -> 10.0.2.2011
10.0.2.2020 -> 10.0.2.2021Symantec Client Security
3.1.0.394 -> 3.1.0.396
3.1.0.400 -> 3.1.0.401
3.0.2.2010 -> 3.0.2.2011
3.0.2.2020 -> 3.0.2.2021Now, if you are running *ANY* other version that is affected, you will have to first upgrade to one of the versions that have the patch out and then install the patch. I hope this will clear the confusion.
