Security flaw in Symantec's antivirus updater
The tool used to update the virus definitions in Symantec Corp.'s antivirus products has a security hole that can allow hostile code to be downloaded to PCs, according to the German hacking group Phenoelit.
LiveUpdate, the software used by Symantec's antivirus software to automatically update virus protections when updates become available, has flaws in both the 1.4 and 1.6 versions that allow for the attacks, Phenoelit said. When LiveUpdate 1.4 looks for updates, it attempts to connect to a specific server at Symantec, the group said. That connection, however, can be hijacked using a number of DNS (domain name server) attacks and rerouted to the server of the attacker's choice, Phenoelit said. If an attacker recreates the proper directory structure on the server the connection is sent to, any code can be downloaded to the user's machine and executed, the group said.
Version 1.6 doesn't have as extensive a vulnerability, but can fall victim to a network performance degradation attack, the group said. The use of a special Symantec data format for the updates and cryptographically signed update files prevents the same kind of attacks that LiveUpdate 1.4 can be hit with, Phenoelit said. Version 1.6 can also be prevented from receiving any updates, even if they are available, by using the connection hijacking attack and manipulating some files on the destination server, the group said.
Phenoelit notified Symantec of the flaw on Sept. 22, according to documents on the group's Web site. Symantec did not immediately return calls seeking comment.
The group advised users to upgrade to LiveUpdate 1.6, though it noted that LiveUpdate 1.6 is still vulnerable to the network degradation attack. It also urged Symantec to use new cryptographic signing methods and to tell its customer about the security flaws in LiveUpdate 1.4.
Symantec, in Cupertino, California, can be reached at +1-408-253-9600 or via the Web at http://www.symantec.com. Phenoelit's full advisory can be found on the group's Web site at http://www.phenoelit.de/stuff/LiveUpdate.txt.
ITworld.com
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Where Google Chrome security fails: the password
I heard mention that the Chrome OS will have some sort of encryption available a la bitlocker. If it's possible to encrypt personal data using another password or key, then it may have potential for very secure data.... And Ubuntu has an 'encrypt home directory' option, perhaps google should follow suit.
- Dann
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
