Symantec today made public security vulnerabilities in the 2004 and 2005 versions of its Symantec Norton AntiVirus suite of products. The company said patches have already been released.
Both vulnerabilities allowed denial of service (DoS) attacks through the SmartScan feature in which a real-time scan of a specific file type could result in “the blue screen of death” and require rebooting the system.
One vulnerability occurred when renaming a file housed in a shared network folder; this occurred in computers running Symantec Norton AntiVirus 2004 and 2005 when Auto-Protect scanned certain type files that Symantec did not name.
No Problems Reported
“To date, Symantec has not had any reports of any related exploits of the vulnerabilities,” Symantec said in a statement to the press.
The vulnerabilities were discovered by Japanese security researchers. Symantec said that manually running LiveUpdate will patch the holes.
“These types of mistakes are very common and the truth is that vulnerabilities are a fact of life in all software products,” Ed Moyle, president of SecurityCurve, told TechNewsWorld. “Products that are more widely deployed are under more scrutiny from vulnerability researchers; therefore a consumer product like this one is an attractive target as it is running on a large number of machines.”
What’s the Risk?
The company rated the issues low-level risks.
“Traditionally, DoS vulnerabilities are classified as low risk in the security community at large because they do not allow an attacker to gain unauthorized access to the machine using the vulnerable software as a vector,” Moyle said.
He added, however, that low risk does not mean that computer users should not underestimate the potential for harm if they do not update their software.
“I understand why they classified it low risk, however, users should be advised that it is the vulnerability vector itself that’s low risk, not any other fallout from it,” he said.
“In other words, attackers can’t take over the machine using this bug, but since the vulnerability is in an antivirus product and since it could disable the update capability of the antivirus software, it could leave a machine without functional or up-to-date virus detection. That’s not low risk in today’s world.”