Antivirus: May 2006 Archives

I dont see it reflected on their public bulletin yet (give it some time), but the ftp site now has updates for 10.0.2.2000 and 10.0.2.2001 to patch them with the resulting version of 10.0.2.2002.

ftp://ftp.symantec.com/public/english_us_canada/products/symantec_antivirus/symantec_antivirus_corp/10.0/updates/

These patches keep trickling out, if you are running an earlier build of SAV 10 than is currently patched, keep waiting, I'd expect it out in the next couple of days.

ISC is reporting that the exploitation occurs through the management port that is opened on managed SAV clients. I haven't seen a source for that. If your personal firewall policy is really granular, for example listening to only the parent server on that port and no one else, then you may be in good shape.

If Marc had simply informed the manufacturer of the problem, and told no one else, we'd be in about the same shape as we are now. Their version of responsible disclosure does little to allow people using this product to protect themselves other than hope for fast patching. That isn't always feasible in an enterprise environment. I suspect most people are working on patching flash and quicktime still, that is if they bother to patch applications at all.

SANS ISC is reporting that

Some have reported that the patching process is not trivial, and can be difficult to roll out in some environments.

What exactly does this mean? In the not so distant past patching Symantec has meant testing and rolling out an entirely new version of the product. If you know anything about mst files, this is much simpler. I guess some people are expecting this to be deployable through liveupdate. Not sure where they'd pick up that expectation. Deployment of this patch will require a reboot, but if you used an enterprise ready method of deploying SAV in the first place, deploying a patch isn't that difficult. The biggest problem I expect is the user revolt that requiring another reboot will cause.

Here's the breakdown for those like me who know version numbers better than this mr mp pp versioning system.

For SAV Corporate Edition the following versions have patches available.
Unpatched-> patched
10.0.2.2010->10.0.2.2011
10.0.2.2020->10.0.2.2021
10.1.0.394->10.1.0.396
10.1.0.400->10.1.0.401

Surprisingly Symantec has not patched the initial release of SAV 10.0.2.2000. I dont know if a patch is coming for them or not. Apparently 10.0.2.2001 users need to upgrade to 10.0.2.2010 or 10.0.2.2020. Basically its applying one mst file for the initial update and then another mst file for the point patch. (can be combined in one command such as msiexec /p "patch1;patch2") I guess that is easier than doing a full upgrade to 10.1 although that would at least get some new features.

Additional patches for localization and platform specific (does that mean 64 bit?) has an ETA of Tuesday. I find that approach interesting because Microsoft chooses not to favor its English speaking customers, prefering to patch systems at the same time.

Symantec has released patches for Symantec Antivirus. The files are on their ftp site but the support site isn't updated yet.

It looks like since I'm running 10.0.2.2001 that I'm going to have to apply the 2020 build mst file (MR2, MP2) before I can apply this fix. :(

I guess I have to learn a bit about mst files. I think I should be able to chain the two files together but I'm not sure of the exact syntax to use when pushing that out with SMS.

Eeye is reporting that

a remotely exploitable vulnerability exists within the Symantec Antivirus program. This flaw does not require any end user interaction for exploitation and can compromise affected systems, allowing for the execution of malicious code with SYSTEM level access.

This is reported in SCS 3 and SAV 10. Currently it is not known if they have tested earlier versions or not.

This is a follow on post on the exploitation of the Invision Forum used by Six Apart for its Movable Type free Support.

The code that is serving up the WMF exploits is in an IFRAME using an obfuscated url. Using a URL deobfuscator over at IPTools.com, I found that the iframe is calling http://traffnew1.biz/dl/adv670.php (danger will robinson, danger). Which I believe is hosted in Russia. Their DNS server is on the same IP block.

If you are running Internet Explorer when you go to that website you get exploited.
Spoofing IE6 on XPsp2 I get an obfuscated script. Not sure how to detangle that.

Gamedaily.com was hit by this bad guy on May 8th. They were also running Invision. So this has been occuring for a while.

While watching a little NASCAR this evening and IMing with friends, I decided to check out the Movable Type Support Forum. Movable Type is the blog software I use over at infosecblog.org.

The second I browse to http://www.sixapart.com/movabletype/forums/index.php I notice an odd script prompt:

Next I got virus alert popups from Symantec Antivirus telling me I had wmf exploits in my temp files!

It looks like Six Apart (the company that makes movable type) is using Invision Power Board version 2.0.4. A major vulnerability was announced on this version a few days ago.

Moral of the story, if you haven’t learned it already. 1) patch your system. 2) up to date antivirus 3) even when you aren’t surfing the seedy underbelly of the web, you can get exploits thrown at you.

I’ve sent an alert to the ISC as well as to the webmaster at six apart.