There was a time, it must have been at least five years ago, when we would tell users (at least unofficially) that if you were running an old version of an antivirus program with no update subscription, you were better off than with nothing, In fact, you would still block almost all of the threats you were likely to encounter.
How wrong that advice is now! Its hardly the first time its happened, but Symantec confirmed independent reports of a serious vulnerability in their products. The flaw, which lies in the scanning of .RAR files, exists in a wide variety of consumer and enterprise products and amounts to the most dangerous and scary kind of vulnerability: All that need happen is that someone send you an e-mail, the Symantec product will scan it and be compromised.
There isnt an exploit circulating yet, at least not publicly, and now were in a race: If the exploit precedes the fix we have a big problem. If the fix precedes the exploit, things are different, but still problematic. Enterprise customers will be set up to update themselves for the patch, but consumer versions of Symantec products dont typically auto-update for software fixes, just for signature updates. For a patch, you need to run the LiveUpdate program manually. Perhaps this has changed in the 2006 versions; well know soon.
There was a similar report from Symantec in early October: a buffer overflow vulnerability in Symantecs AntiVirus “Web Service Administrative Interface” allowed remote exploitation. Fortunately, it appears that only enterprise products were affected.
Other vendors, unsurprisingly, have similar issues in their products. For example, there has been an allegation in the last few days by a researcher of an exploitable vulnerability in the McAfee Security Center. The originality and impact of this specific advisory has been disputed on the Full-Disclosure list. I think we havent seen the last of that one.
And just a couple weeks ago a series of vulnerabilities were revealed in Trend Micro products, including their consumer PC-Cillin program, and updated. One announced vulnerability allowed an attacker to escalate privileges or disable protection. The others focused on server protection products, although those are where Trends real market impact is.
Of course researchers, like everyone else in the security business, focus on the big players and Ive just listed the “Big 3” in the security business. There are a surprising number of smaller players in anti-virus and other security fields, even in the consumer markets. Consider this report on a vulnerability in F-Secure products very similar to the Symantec report. But I never heard anything about attacks based on that vulnerability, and its not hard to see why.
Just as some people buy Macintoshes in order to avoid Windows vulnerabilities, it might make sense to buy a “little guy” security program in order to fly under the radar of the vulnerability researchers. Even if the program has just as many vulnerabilities, known and unknown, as the big boys, you still throw a monkey wrench in the works of any attacker.
Thats one approach you can take, but whatever you do, running an old antivirus program with no access to updates is not the approach to take. Obviously times have changed in terms of the velocity of new threats, and people with old AV are susceptible to these. But when vulnerabilities show up in the AV products themselves they amount to a big “Exploit Me” sign on the Internet.
In fact, are you still looking for a last-second gift for someone? If they dont have AV or their subscription has lapsed, go buy them a new one with a new subscription. You can do it online any time, even on Christmas day, youll be doing them a big fat favor, and youll get to spend time with them, or at least with their computer. (Boy do I know how that feels!)
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
More from Larry Seltzer