Text 14782, 81 rader
Skriven 2006-12-17 09:10:02 av mike (1:379/45)
Ärende: Worm Attacks Symantec Enterprise AntiVirus
==================================================
From: mike <mike@barkto.com>


http://www.informationweek.com/shared/printableArticle.jhtml?articleID=19670007
1

===
The malware exploits a critical vulnerability in Symantec AntiVirus and
Symantec Client Security, two of the vendor's business security products.

A "significant" worm is successfully attacking unpatched Symantec enterprise
anti-virus software because companies focus too much attention on Microsoft's
flaws and ignore those from other vendors, a security company warned Friday.

"Big Yellow," the name eEye Digital Security has given the worm, was first
captured Thursday by one of the company's honeypot systems. The worm, which
also has a botnet component that turns a victimized machine into a zombie at
the beck and call of its controller, exploits a critical vulnerability in
Symantec AntiVirus and Symantec Client Security, two of the vendor's business
security products. That vulnerability was reported to Symantec by eEye in May;
the former fixed the flaw in June.

Symantec's first notice of the vulnerability in AntiVirus and Client Security
was posted May 26, and patches were made available June 6. On Nov. 29, Symantec
made note of the release of exploit code.

"We've seen exploit code for some time, but [Big Yellow] is the first truly
automated threat," says Marc Maiffret, eEye's chief technology officer. The
worm, which appears to be of Chinese origin, already has infected a number of
systems worldwide.

But while Maiffret took Symantec to task for downplaying the threat as far back
as May, he left his most pointed criticism for short-sighted enterprises.

"Symantec used crappy wording [in its alert]. When a security professional
reads 'elevation of privilege,' they think of something that can be only
exploited locally. But this is a remotely exploitable bug. Symantec tried to
downplay the threat, but they just do themselves, and their customers, a
disservice by not correctly labeling it," says Maiffret.

Worse, however, is the blind eye most corporations turn to non-Microsoft
vulnerabilities, and the difficulty they have in keeping up with necessary
patches.

"I've been preaching this all during 2006, that it's more than a Microsoft
world," says Maiffret. In fact, he says he's used the May Symantec
vulnerability during security conference presentations as the perfect example
of the kind of bug that could hit enterprises.

"The release of malware of this magnitude targeting non-Microsoft software was
only a matter of time," says Maiffret. "IT needs to understand that the new
vector for attack will not come from Microsoft, but from the applications that
are scattered throughout its network."

With IT focused on Microsoft and Patch Tuesday, many companies ignore
third-party vulnerabilities. Part of the problem, according to Maiffret, is the
lame update and patch notification process that many vendors use. Symantec, for
instance, doesn't use an auto-update mechanism for Client Security or
AntiVirus, which means customers must first be aware of a vulnerability, and
then know how to find and download it.

"As Microsoft gets better [about security] attackers realized that there's so
much other software out there," says Maiffret. "But the average vendor is about
seven years behind Microsoft" in its vulnerability research and update
processes. "They're still partying like it's 1999."

Maiffret's convinced that 2007 will see an explosion in vulnerabilities in and
exploits against the likes of Symantec and other non-Windows vendors, including
Apple. "From anti-virus to iTunes, these non-Microsoft desktop applications,
many of which IT is not even aware of, will become the enterprise's biggest
point of vulnerability very, very quickly," he says.

Symantec's current advice is to patch Symantec AntiVirus and Client Security to
protect systems against threats such as Big Yellow. A detailed guide on what
versions must be patched and how is available on the Symantec support site.
===

 /m

--- BBBS/NT v4.01 Flag-5
 * Origin: Barktopia BBS Site http://HarborWebs.com:8081 (1:379/45)