Symantec Under Fire for Bugs, Flaws

It's shaping up to be a bad week for antivirus software company Symantec, after researchers raised alarms about security holes and buggy code in two of the company's products.

Symantec did not immediately respond to requests for comment on the two security issues.

On Monday, Symantec acknowledged a report about a serious security flaw in Symantec Security Check, a free online service that enables users to scan their computer's vulnerability to a number of security threats.

According to a message posted in the online discussion group Full-Disclosure on Sunday, an ActiveX control installed by the Security Check service contains a buffer overflow vulnerability that could enable a remote attacker to crash or run malicious code on systems that had the control installed.

The control, named "Symantec RuFSI Utility Class" or "Symantec RuFSI Registry Information Class," is used to run the security check, but remains on systems after the scan is complete, according to a statement from Symantec.

After learning of the security hole on Monday, Symantec updated the ActiveX control in the Security Check service. Individuals who rescan their systems will receive the updated control.

Symantec also provided instructions on updating the control or removing it from affected systems.

However, security researchers monitoring the issue noted that simply updating the control does not end users' vulnerability to attack--especially if the control contains Symantec's digital signature.

Attackers who have a copy of the flawed ActiveX code with a valid digital signature could trick a Microsoft Windows system into accepting the control, opening that system to attack even if the PC never had the faulty component installed, according to a notice posted to Full-Disclosure by Jason Coombs, a software security expert in Kea'au, Hawaii.

Symantec also found itself in hot water on Monday after customers using Symantec AntiVirus Corporate Edition reported that an automated antivirus definition update from the Cupertino, California, company caused the antivirus software to fail. The problem was disclosed in the NTBugtraq discussion list on Monday.

The problem stemmed from a faulty antivirus "microdefinition update" distributed on June 19, according to Russ Cooper, NTBugtraq moderator and surgeon general of TruSecure.

Microdefinition updates are a new feature with Version 8 of the Symantec AntiVirus Corporate Edition; they enable systems running the software to download small, incremental antivirus definition updates rather than large, comprehensive definition update files, Cooper said.

Symantec's antivirus software would not start on desktop systems that installed the faulty update, leaving some customers without antivirus protection on desktops and servers that ran the software.

Cooper received confirmation of the problem from at least 30 companies. "Thousands" of systems running the software were affected, he said.

A Symantec knowledge base document created on June 20 and updated on Monday acknowledged the existence of the faulty update and provided instructions on how to repair systems that had downloaded the faulty update.

Customers affected by the bad antivirus update should remove it from "parent" distribution servers and desktops on their network before obtaining and loading the valid definition update file on the distribution servers, which will then distribute the update file to affected desktops.

Symantec Antivirus Corporate Edition version 8 systems that downloaded a full definition update (.vdb) file or that acquired virus updates using Symantec's LiveUpdate or Intelligent Updater services are not affected, Symantec said.

The problems are just the latest examples of problems introduced by antivirus companies.

In May, Trend Micro was forced to issue a fix for an embarrassing snafu caused by an update to the EManager e-mail security product; the update blocked all e-mail containing the letter p.

The problem stems from popular auto-update features that automatically distribute virus definitions and software updates to remote systems, Cooper said.

Such mechanisms frequently lack the ability to verify that an update is properly installed on the systems that receive it, or the ability to roll back faulty updates in the event that problems are introduced, he said.

Antivirus companies frequently use the update features to silently distribute software patches to their customers, too, according to Cooper.

As currently implemented, such systems can easily and quickly distribute buggy or vulnerable code to thousands of systems, he said.

"Here we have Symantec attacking its own customers with a flaw. So we don't have to worry about the bad guys doing it. Symantec is doing it for them," Cooper said.