Symantec Patches Worm Hole

Company quickly issues fix for 'high-risk' flaw

Working feverishly through the Memorial Day weekend, Symantecs security response team completed patches May 27 for a "high-risk" worm hole in two enterprise-facing product lines.

The flaw, which could allow malicious hackers to take complete control of a system without any user action, was discovered and reported by eEye Digital Security May 24.

In an advisory posted May 26, Symantec described the issue as a stack overflow affecting Symantec Client Security and Symantec AntiVirus Corporate Edition, two product suites targeted at business and government customers.

"[The flaw] could potentially allow a remote or local attacker to execute code on the affected machine," read the advisory from the Cupertino, Calif., company. "Exploiting this overflow successfully could potentially cause a system crash, or allow a remote or local attacker to execute arbitrary code with system-level rights on the affected system."

Symantecs advisory is a confirmation of eEyes earlier warning that the flaw could lead to a self-propagating worm without any user action.

"This is definitely wormable. Once [the suites are] exploited, you get a command shell that gives you complete access to the machine. You can remove, edit or destroy files at will," said eEye spokesperson Mike Puterbaugh.

"We have confirmed that an attacker can execute code without the user clicking or opening anything," Puterbaugh said.

Affected products are Client Security 3.0 and 3.1 and AntiVirus Corporate Edition 10.0 and 10.1. Symantecs Norton security suite is not susceptible to the vulnerability.

Symantec also released IDS (intrusion detection system) signatures to detect attempts to exploit the issue.

As a best practice, the Symantec advisory "strongly recommends" that customers restrict access to administration or management systems to privileged users only, as well as restrict access to the physical host system or systems if possible.

"Keep all operating systems and applications updated with the latest vendor patches [and] follow a multilayered approach to security. Run both firewall and anti-virus applications, at a minimum, to provide multiple points of detection and protection to both inbound and outbound threats," the advisory said.

Symantec urged customers to be cautious when visiting unknown or untrusted Web sites and when following unknown URL links. "Do not open attachments or executables from unknown sources or that you didnt request or were unaware of. Always err on the side of caution. Even if the sender is known, the source ad--dress may be spoofed," the advisory added.

Internet security experts have long warned that flaws in anti-virus products will become a major target for malicious hackers. During the last 18 months, some of the biggest names in the anti-virus business have shipped critical software updates to cover code execution holes, prompting speculation among industry watchers that its only a matter of time before a malicious hacker is motivated to create a devastating network worm using security software flaws as the attack vector.

"The big surprise is we havent seen one yet," said Johannes Ullrich, chief technology officer at the SANS Internet Storm Center, of Bethesda, Md., in a recent eWeek interview.

In March 2004, the fast-moving Witty worm exploited a zero-day buffer overflow in security products sold by Internet Security Systems. Unlike most self-propagating worms, Witty was capable of corrupting the hard drives of infected machines, preventing normal operation of the PC and eventually causing it to crash.

"This could be Symantecs Witty," Puterbaugh warned.

Quick Fix

* May 24 eEye Digital Security discovers the code execution bug

* May 25 Symantec acknowledges the flaw and starts working on a fix

* May 26 Symantec issues an advisory, confirming Symantec Client Security and Symantec AntiVirus Corporate Edition are affected

* May 27 Symantec issues patches and workarounds

Source: eWEEK reporting