Symantec and Norton are among the most popular security tools, but the U.S. Department of Homeland Security warns of critical flaws that could pose great risks.
A slew of corporate, government and personal computers are protected by Symantec, but are they really protected? Homeland Security believes there’s reason to worry, and has issued a warning this week.
“Symantec and Norton branded antivirus products contain multiple vulnerabilities. Some of these products are in widespread use throughout government and industry,” notes the alert. “Exploitation of these vulnerabilities could allow a remote attacker to take control of an affected system.”
My deep dislike and mistrust for antivirus peddlers and their shady business practices are known around these parts, so none of this obviously surprises me in the slightest. These are companies fooling otherwise fantastic websites like Ars Technica into publishing FUD articles about OS X/iOS/Android/Linux/BeOS/MULTICS eating all your documents and murdering your firstborn unlessyoubuytheirproductswhichareototallynotresourcehogsandreallyarentuselesspiecesofjunk, so I’m not surprised their products are insecure.
Since I’m anything but oblivious to the irony of posting this story (in fact, it’s one of the prime reasons to post this), be sure to read the source note from the U.S. Department of Homeland Security to make up your own mind.
No shit? Microsoft security “essentials” sends on all ports, Panda antivirus reports traffic on both directions to a central server. how the smack could you be schocked by this news?
And yes clearly BeOS has gained user share to 0.1%. Governtment agencies are retarded.
That 0.1% is probably me!
Seriously though, this is no surprise really. The names Symantic and Norton are synonymous with junk anyway.
What is surprising to me at least, is that US government agency’s use that junk. Unbelievable!
Edited 2016-07-13 04:19 UTC
Where does it say anything about BeOS on the US-CERT website?
From the last note:
Solution
Symantec has provided patches or hotfixes to these vulnerabilities in their SYM16-008 [9 (link is external)] and SYM16-010 [10 (link is external)] security advisories.
US-CERT encourages users and network administrators to patch Symantec or Norton antivirus products immediately. While there has been no evidence of exploitation, the ease of attack, widespread nature of the products, and severity of the exploit may make this vulnerability a popular target.
So this wasn’t exploited and was patched mid May and End of June….How is this anything other than all other software in the world?
Because Thom really likes to rant about AV software.
While one could expect that vulnerabilities exist in any code – including that aiming at protecting a system – I found it intriguing that only Symantec`s products were discussed.
It is hard to resist thinking of possible ulterior motives with the publication:
Was it in retribution for having uncovered and publicly disclosed the existence of Stuxnet?
Was it a signal to anyone and everyone not to feel “100% protected” even when using anti-malware/anti-virus products?
Also, for every vulnerability publicly uncovered, how many exist being exploited and not their existence not being disclosed?
BlueofRainbow,
US-CERT stands for “US computer emergency readiness team”, why do we need a conspiracy theory to explain their motive for announcing 8 critical vulnerabilities? It’s just another source of security alerts, anyone is free to take it or leave it.
https://www.us-cert.gov/ncas/alerts
Oh, come on, what is life without a pinch of conspiracy sporadically ? And what is even better, sometimes it happens to be true* ! :p
* Just like almost every other thing people say.
It’s important to note that not all security vulnerabilities are published, and there is a clear conflict of interest in doing so when it would harm the image of your company’s flagship product.
I’m not saying that drives all statements these companies make, but it’s pretty obvious that at a basic level, it’s good for business to say that no AV makes you very vulnerable and bad for business to say that AV itself is vulnerable.
I’ve never used any antivirus software and I can’t remember even one time that my PC was infected.
My BeOS and Linux machines have never been infected either.
My Windows one’s have though, even with antivirus software installed, grrr!
I used to work in IT for the DOI, and we would see viruses all the time even though we had a very expensive subscription to Symantec’s finest AV.
Given how AV degrades performance, opens up entirely new attack vectors, and can’t even do its one job reliably on top of that, the cure is really worse than the disease here.
I work in government and we switched from Symantec to Microsoft’s solution. As is the case with all antivirus software, it works with well known threats, but fails with the unknown or recent ones. The problem would literally dissapear with better policies, suchs as execute only from safe locations, effectively disallowing users from running any executable from USBs and their own profile. Most of the crap the would download or bring from home wouldn’t affect the systems.
Then how do you know it’s not already infected? Not all viruses have visible behaviour.
Why stay only on big corporations when you can spread fear among the people and get your pocket full of $$$
I am more confident that ever from where all those new viruses are borned/coming from.
If all start using free solutions you will see a dramatic decline in new viruses until extinction!!!
Time to wake up, people.
Edited 2016-07-13 21:24 UTC
I understand the sentiment against AV here, and I totally loath the business practices of certain AV companies. But AV is still a very important part of a layered security model. Yes, your computers might be virus free for years without using AV, and that’s because you are a knowledgeable and disciplined computer expert. Imagine managing a company with a lot of regular users, with some IT policies you may nor may not alter, using AV is still very effective at stopping run-of-the-mill malware/ransomware that your naive users are downloading every day.
As for the current case on hand, Symantec instantly patched it, which is good. I don’t understand the fuss. Also having more CVEs disclosed shouldn’t be correlated to the quality of a product. Some companies simply are more transparent; Symantec’s products are the number one in market share so they probably underwent most scrutiny. I’m not say that Symantec’s products are good or not bad; just saying correlating the number of CVEs to a product’s quality is not very scientific.
I’ve worked with some Symantec engineers before and I can say that they are usually very skilled and honest of their products. For me I’d rather use a product of which discovering CVEs makes to the headline than using some smaller vendors’ products that few people study.
On the technical side, Symantec really should be doing more fuzzer analysis of their product. There is no excuse no doing that. For that part it’s shame on them.
EthanGreen,
In my experience it’s rarely the engineers who are dishonest.
I looked at all 25 CVEs for Symantec published in 2016, not a one of them was disclosed by Symantec. This implies that Symantec either did not discover them, or did not disclose them. Logically one of those is true, take your pick.
Anyways, welcome to osnews!
Edited 2016-07-14 00:32 UTC
I believe they simply didn’t discover them. The recent focus of Symantec Research Labs is on Big Data and reputation-based executable classification, to the point that their products function poorly when your computer is offline. The following is my speculation: probably because of the emphasis on Big Data, there is not enough people working on other research areas, such as heuristics detection or engineering efforts, such as moving their unpack engine to user space and fuzzer analysis.
Also if I were Symantec I wouldn’t file CVE either. Why? The reason we need public CVEs is that your clients can evaluate the severity and decide a patching schedule. Symantec simply declares all patches critical and requires all the updates be installed promptly, and they have a good online updating system. They find a bug, they fix it and release it asap. All customers are required to update pronto. That’s it. There’s no need for filing CVE from a company’s POV.
Please don’t mistake me for a Symantec fanboy. Symantec’s products are totally mediocre and slow down or crash my company’s computers all the time. But what else can I pick for my small business? As a US person I don’t quite like sending my company’s data to foreign AV companies (no discrimination or judging, just that I understand the US laws better than other countries, and in case something goes really bad I have a US company to sue). The top three are Symantec, McAfee, and Microsoft. McAfee is dying after the Intel acquisition. And even MS is recommending users to buy a 3rd party AV when possible.
I use AV to stave off regular malware, not APT attack. I’m not worrying too much about 0days in Symantec either, because newly discovered 0days are very likely being sold for a huge profit on black market and being used to attack all the high profile users like governments and big companies. If a 0day is being actively exploited on a larger scale, it will be discovered and patched within hours; Symantec is bad at discovering holes, but they are usually fast on patching them.
(I’ve been reading OSAlert for decades. Just only recently bothered to register. Have a nice weekend
Think they will predate long term, but at higher layers and surfaces.
Lots of Wars that still no Actor is fighting in unaware Users behalf.
Their infrastructure need strong re-engineering.