Tag Archives: Norton Plc

Symantec’s Hole

I am starting to be a bit concerned about the future of blogs, but there’s no question a blog is the best way to get information out to people quickly, especially if it’s about the Internet, technology or tech-related stuff. It needn’t be a blog, but it needs to share the blog’s most powerful features – speed, easy to use and easy to find, and deliverable by the best mechanism we’ve come across so far: RSS.

Case in point: Symantec, one of the world’s biggest makers of antivirus software, are red-faced after EEye Digital Security revealed on Thursday that it had found a software vulnerability inside Symantec’s Anti-Virus Corporate Edition 10.0. As darkreading says, the vulnerability  requires no user intervention and could be used to create a worm. This is an important event, and Symantec need to let their customers, and people in general, know about this as soon as possible. So why is the company’s website making no reference to the exploit, except for a “Symantec Client Security and Symantec AntiVirus Elevation of Privilege”, which cannot mean anything to anybody except the smallest circles (an Elevation of Privilege, is, according to Microsoft, “the process by which a user obtains a higher level of privilege than that for which he has been authorized. A malicious user may use elevation of privilege as a means to compromise or destroy a system, or to access unauthorized information.”)

No mention in the heading of a vulnerability, or a problem with the very software that is used by a lot of people. Unless you really know what you’re looking for, the advisory doesn’t really shed much light on the issue. Nor does Symantec’s main website: While the main page includes a link to the advisory under its Recent News tab on the left of the page, with the less than informative “AntiVirus Notice: Norton Customers Not Affected; Advisory for Corporate Customers”, I could find no press release two days after the vulnerability had been found and been acknowledged by Symantec. The latest Symantec news release is from Wednesday, the day before the vulnerability was found, and there’s nothing there I can find that relates in any way to the issue at hand. This despite there definitely being a statement out there, because eWeek quote a statement from a Symantec spokesman sent to the magazine.

I’m requesting a comment from Symantec to see what they say about this. Apologies if I’ve missed something here, but my feeling is that Symantec need to be very upfront about this kind of thing — a vulnerability in a piece of software its customers rely on to keep out the bad stuff — and to inform readers, journalists, users and investors in a faster, more open and more informative way than they did so far. A blog would be the perfect place to start.

More On MyDoom, And Why

It’s not my intention for loosewire to become a realtime virus news service, but this is a special case, so here’s more on MyDoom/Novarg, the worm that I’ve reported on before.

Doom, it seems, is being prepared for the SCO Group, a company that sells Unix software and has been the focus of several Internet attacks, apparently in response to its legal claims that Linux contains software that violates its intellectual property.

Symantec have just upgraded the W32.Novarg.A@mm (also know as W32.Mydoom@mm) from a Level 3 to a Level 4 threat (5 is the highest) based on how fast the threat is spreading, the potential damage and the threat distribution. Like MX Logic it is comparing the worm to Sobig.F@mm — discovered on August 13, 2003 — in terms of the number of folk submitting it: more than 960 in 9 hours.

Here’s some more information on what it may do to you if you’re infected:

  • the worm copies itself to the system folder as taskmon.exe and listens to all TCP ports in the range 3127 to 3198, allowing hackers to potentially send additional files to be executed by your computer;
  • it propagates by sending itself to addresses found in files with the extensions: .htm, .sht., .php, .asp, .dbx, .tbb, .adb., .pl, .wab, and .txt.
  • (and here’s the sting) it will also attempt to perform a denial-of-service attack between Feb. 1 and Feb. 12, 2004 against www.sco.com. The worm creates 64 threads that send HTTP “GET” requests to the SCO site. 

One aspect to this that worries me: I’ve noticed it’s not possible (unless I’m missing something) to increase the frequency of automatic virus library updates with Norton Antivirus. It my view updates should be done everyday: For example, anyone not updating their software in the last few hours will be vulnerable. Yet how many people do that? I’ve noticed my automatic update seems to do so once a week, if I’m lucky. There must be a better way of doing this simple task: How about using Norton’s own Level alert ladder, which could be routinely checked remotely by users’ computers? If there’s a dangerous virus in the wild, the software updates; if not, it sticks to its normal schedule. How about it?

Zone Labs Snapped Up – Firewalls R Us?

My favourite firewall, Zone Alarm, is being bought by another firewall maker, Check Point Software Technologies [CNet News.com].

It looks to me as if there’s quite significant consolidation within the security software industry, not just from the point of view of big guys buying the smaller guys, but of companies trying to create products that offer an all-round ‘security solution’. Symantec have long peddled this type of idea, but their 2004 embodiments have increased the coverage to include cutting out spam, spyware and even pop-ups. With Check Point focusing on server-side software it makes sense that they grab Zone Labs, whose strength is software for desktops and notebooks.

Expect to see software companies trying to push more integrated software that offers this kind of overall solution to corporates and to ISPs. While it obviously makes sense for companies to farm out these kind of problems — viruses, spam, any kind of disrupting influence on their networks — to single companies. Internet Service Providers will doubtless see a market to sell something similar to the individual user, keeping such rubbish out of their inbox and away from other subscribers.

My only worry is that such ‘packaged solutions’ may not offer the best individual component: Just because a company makes all the products you need, doesn’t mean they’re all great. I use Norton Antivirus but stick with Zone Alarm because it tells me more about what’s going on.

News: Norton Chips In

 I should have known, given the whole virus thing is big business, that if one company announces a new product, its rival down the street isn’t likely to stay silent. Hot on the heels (or maybe before, who knows) of McAfee’s upgrade to its VirusScan, Symantec Corp.announced Norton AntiVirus 2004, although tellingly it’s not ‘widely available’ until early September. (Not trying to muddy McAfee’s launch, are we lads?)
 
 
Norton AntiVirus 2004 takes a slightly different approach to the growing threat of worms, rather than viruses (worms jump aboard without the user doing anything like loading a file, while viruses depend on the user actually doing something). Norton AntiVirus 2004 will include scans for programs on the user’s computer that can be used with malicious intent to compromise the security of a system, spy on the user’s private data, or track users’ online behavior. AntiVirus will identify and block these threats at the point of entry to the system, detecting the threats during scans of email and instant message attachments, or during scheduled or on-demand system scans. This seems a little different to McAfee, although on the surface this all doesn’t sound that new. I’ll take a closer look and get back to you.
 
Norton AntiVirus 2004 and Norton AntiVirus 2004 Professional will be available for an estimated retail price of US$49.95 and US$69.95