Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Symantec Norton Anti-Virus Intelligent Update Failure May Disable Protections
|
|
SecurityTracker Alert ID: 1007039
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jun 23 2003
|
Impact: Denial of service via network, Host/resource access via network
|
Vendor Confirmed: Yes
|
Version(s): 8.0
|
Description: A vulnerability was reported in Symantec's Norton Anti-Virus in the Intelligent Updater feature. A failure may cause the anti-virus functions to become disabled. Some affected updates were released on Thursday June 19, 2003.
The report indicates that the flaw resides in the "microdefinition updates" function. The update files released by Symantec were
reported to be defective (at least for some duration on June 19, 2003). Some systems that attempted to download the defective updates
were reported to have their antivirus protection disabled. It was reported that that the antivirus service would not start if the
system was rebooted prior to receiving the affected update.
According to the report, only version 8.0 clients were affected,
and version 7.5 clients were not affected.
Systems using LiveUpdate were reportedly not affected.
|
Impact: The anti-virus service may fail to operate on affected systems, allowing malicious files to be processed without prevention or detection by ostensibly protected systems.
|
Solution: No solution was available at the time of this entry. According to the report, Symantec has indicated that, as a workaround, customers
that were affected by this issue can fix their systems by copying the full 4 MB '.VDB' file to the affected system(s) and either
restarting the service or, if the service will not restart, rebooting the system.
|
Vendor URL: www.symantec.com/ (Links to External Site)
|
Cause: Exception handling error
|
Underlying OS: Windows (Any)
|
Reported By: Russ <Russ.Cooper@RC.ON.CA>
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 23 Jun 2003 12:16:45 -0400
From: Russ <Russ.Cooper@RC.ON.CA>
Subject: Problem with Symantec Antivirus Corporate Edition 8.0: Faulty Definition updates disabled client systems
|
I got this message late Friday night (EDT). The writer requested
anonymity. I immediately forwarded a copy of it to Symantec for
confirmation. On Saturday Symantec indicated I could expect a response
on Monday. Given that this has happened before, and given the
possibility that your AV may be disabled, I've decided not to wait for a
response from Symantec.
I have confirmation from another source that as of Friday afternoon the
update was not causing any problems, so there was a small window
where-in you may have been affected. Read the note below thoroughly and
then check a few systems in your environment to see if their AV is
disabled.
If you find your AV disabled, drop me a note so I can get an idea of how
many were affected.
Cheers,
Russ - NTBugtraq Editor
----
Reporting this to you directly, I'd rather not have this posted to the
mailing list with my identifying information. I have not yet seen this
reported anywhere.
We experienced a major failure in our Symantec Antivirus protection
software today, caused by a faulty set of definition updates from
Symantec. Specifically, the updates they released yesterday
(rc:Thursday, June 19th) via their Intelligent Updater mechanism had a
problem that caused all 8.0 clients to choke. Earlier versions of
clients (7.5) were not affected. The problem was somewhere in the
mechanism that performs "microdefinition updates". This is new for 8.0
corporate edition, and allows the systems to get definition updates with
small incremental transfers (typically under 100K for each update), as
opposed to 7.5 clients which have to get the full 4MB of data on every
update.
The problem was spotted today (rc:Friday, June 20th) when some users
reported that their systems were complaining about the antivirus
protection being disabled. What we quickly determined was that
something was messed up by Thursday's daily update, and the antivirus
service would not start on any system which had been rebooted since that
update occurred.
Symantec tech support said they were aware of the problem, and provided
me with a way to fix affected systems: copy the full 4 MB .VDB file to
those systems, and then restart the service or reboot the system if the
service could not be restarted.
Two major concerns over this incident: First, this problem effectively
stomped on our entire desktop/server antivirus protection for file
systems. Due to various mitigating factors (see below), our most serious
exposure was limited to about 15% of our user desktops, and none of our
servers, but the potential was there for near 100% failure of corporate
antivirus filesystem protection. Second, Symantec has not issued any
security alert for this issue, nor have they posted any information on
their website, at least not in any location that I've been able to find
so far.
Mitigating factors:
1) Systems running 7.5 clients were not affected. Only 8.0 clients
utilize the microdefinition updates, and they were the only ones
affected.
2) When a system got the faulty updates, the service would continue
running, performing realtime scans using the previous days definitions.
It only stopped working when the system was rebooted. (Which many of
our users do every night, hence the problem not showing up until this
morning.)
3) This only affected those sites which use the Intelligent updater to
get the daily updates. Those using LiveUpdate to get the weekly updates
were not affected.
4) Furthermore, I suspect (but do not know) that this only affects
those using the corporate edition of their software, which allows you to
have a single server retrieving updates from Symantec, and then
distributing those updates automatically to all other systems in your
network.
It was not a fun day for me today. :-/
----
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!
With a growth rate exceeding 110%, the TICSA security practitioner
certification is one of the hottest IT credentials available. And now, for
a limited time, you can save 33% off of the TICSA certification exam! To
learn more about the TICSA certification, and to register as a TICSA
candidate online, just go to
http://www.trusecure.com/offer/s0100/
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
|
|
Go to the Top of This SecurityTracker Archive Page
|
