Symantec released IPS signatures for Symantec Client Security Versions 3.1 and 3.0 and Symantec Antivirus Corporate Edition (CE) 10.1 and 10.0 to users via LiveUpdate for Symantec Client Security that went out on Sunday — four days after the vulnerability was discovered by eEye Digital Security. Symantec posted these fixes (in English only) on its Web site with patches for localized versions pending, according to the company.
If exploited, the flaw could allow a remote or local attacker to create a worm capable of taking over a user’s computer and destroying critical programs and files without the user even knowing, making this type of vulnerability even more dangerous.
“The severity is high because a worm can perform a remote code execution, which means a machine can be taken over completely,” said Tom Slodichak, chief security officer at White Hat Inc., a security vendor that has offices in Burlington, Ont. and Williamsville, New York. “The ramifications there are destruction of data or files or a back door could be inserted without the users’ knowledge.”
In a written statement, Symantec said, “To date, Symantec has not had any reports of any related exploits of this vulnerability.” Company officials were not available for comment on Monday. On its Web site, Symantec thanked eEye Digital Security for reporting the issue and for working with it on the resolution.
York University, which runs Symantec Antivirus CE 10.0 on its systems, said it found out about the flaw last week.
“We are somewhat worried,” said Jane Takaoka, who works in the micro services department at York. “We probably will be blanketing the people we support as soon as we can.”
York is currently implementing the patch for CE 10.0 across its 125 servers but has yet to do so for its approximately 1,500 desktops across campus that still need updating.
“We’re going to have to come up with a process for implementing it,” said Takaoka. “It looks like we have to visit every desktop in order to do this, which is very labour intensive.”
Takaoka said she did not know when the university will apply patches to those machines.
“The labs are a little bit easier because we can do those remotely,” she said. “It’s the administrative (desktops) that are the problem.”
A security expert at the University of Calgary said he’s surprised we’re not seeing more vulnerabilities like this one.
“Having a flaw discovered in software like this isn’t surprising,” said John Aycock, assistant professor, department of computer science, University of Calgary. “In general, the software is amazingly complicated. If anything, it’s surprising not more of these flaws are discovered.”
Whereas cybercriminals used to target large companies’ systems for notoriety, more recently the trend has been towards doing so for financial gain by obtaining customer data, as evidenced by the rise of identity theft cases. Wrongdoers are also going after hardware vendors, said White Hat’s Slodichak.
“Cisco has become a target,” he said. “Because it’s kinda neat to own a core switch in a large organization rather than just one server or one workstation.”
Slodichak added that the complexity of the software has also limited vendors’ ability to do quality control testing.
“We’re going to see issues like this arise across all manufacturers,” he said. “It’s a see-saw. Sometimes the black hats are ahead and sometimes the white hats are ahead.”
While there’s no foolproof solution against guarding your company’s network, Jack Sebbag, general manager, McAfee Canada, says the best defense is a multi-tiered approach.
“You need to use a layered approach to protect yourself,” said Sebbag. “This includes firewall, antivirus, daily vulnerability and risk management scans to understand where your issues are and keeping your patches updated with Microsoft’s announcements.”
Vendors like McAfee and Symantec, however, also need to constantly monitor their software for any holes. McAfee set up the Antivirus Emergency Response Team (AVERT) to review samples based on things that users might believe would compromise systems. McAfee also has a group of people in its labs doing “ethical hacking” where they try to find areas of compromise in its software.
Likewise, Symantec has a security operation centre (SOC) in Alexandria, Va. that provides its clients with 24-7 security analysis, early warning detection and the ability to defend against suspended acts immediately.