Symantec under fire for bugs and flaws

Antivirus software company Symantec has been slammed by researchers for security holes and buggy code in two key products.

Antivirus software company Symantec has been slammed by researchers for security holes and buggy code in two key products.

On Monday (23 June), Symantec acknowledged a report about a serious security flaw in Symantec Security Check, a free online service that has been used by 30 million individuals and organisations.

The service enables users to scan their computer's vulnerability to a number of security threats. However, an ActiveX control installed by the Security Check service contains a buffer overflow vulnerability which could enable a remote attacker to crash or run malicious code on systems that had the control installed.

The control, named "Symantec RuFSI Utility Class" or "Symantec RuFSI Registry Information Class", is used to run the security check, but remains on systems after the scan is complete, according to Symantec.

After learning of the security hole on Monday, Symantec updated the ActiveX control in the Security Check service. Individuals that re-scanned their systems would receive the updated control.

Symantec also provided instructions on updating the control or removing it from affected systems.

However, security researchers monitoring the issue noted that simply updating the control still left users vulnerable to attack, especially if that control contains Symantec's digital signature.

Attackers who have a copy of the flawed ActiveX code with a valid digital signature could trick Microsoft Windows systems into accepting the control, opening that system to attack even if it did not already have the faulty component installed, according to Jason Coombs, a software security expert.

Symantec acknowledged that the control uses the same digital signature as the flawed one and is "looking into" that issue, according to Anson Lee, product manager for Norton Internet Security at Symantec.

In the meantime, the company is encouraging internet users to apply so-called "best practices" when prompted to download an ActiveX control.

These include scrutinising the signature of ActiveX components before agreeing to download them.

Users should be suspicious when third-party websites ask you to download an ActiveX component signed by Symantec, according to Vincent Weafer, senior director of Symantec Security Response.

The flawed ActiveX control from the Security Check service could be an attractive target for hackers. 

Symantec is creating a tool to help remove the ActiveX control from affected machines.

Symantec also found itself in hot water on Monday after customers using Symantec AntiVirus Corporate Edition reported that an automated antivirus definition update from the company caused the antivirus software to fail. The problem was disclosed in the NTBugtraq discussion this week.

The problem stemmed from a faulty antivirus "microdefinition update" distributed on 19 June, according to Russ Cooper, NTBugtraq moderator and "surgeon general" of TruSecure.

Microdefinition updates are a new feature with Version 8 of the Symantec AntiVirus Corporate Edition which enable systems running the software to download small, incremental antivirus definition updates rather than large, comprehensive definition update files, Cooper said.

Symantec's antivirus software would not start on desktop systems installing the faulty update, leaving some customers without antivirus protection on desktops and servers running the software.

The flaw affected a Symantec antivirus service called the "realtime scanner", which runs in the background while users work and monitors files and other resources for viruses, according to Weafer.

A second service, the "on-demand" scanner, was unaffected by the problem, he said.

Cooper received confirmation of the problem from at least 30 companies. "Thousands" of systems running the software were affected.

Symantec put the number of affected customers at less than 40 worldwide, according to Vincent Weafer.

Symantec also acknowledged the existence of the faulty update this week and provided instructions on repairing systems affected by it.

The problems are just the latest examples of problems introduced by antivirus companies.

In May, Trend Micro was forced to issue a fix for an embarrassing problem caused by an update to the eManager e-mail security product that blocked all e-mail containing the letter "P".

The problem stems from popular "auto-update" features that automatically distribute virus definitions and software updates to remote systems, Cooper said.

Such mechanisms frequently lack features to verify that such updates are properly installed on the systems that receive them, or to roll back faulty updates in the event that problems are introduced, he added.

Antivirus companies also frequently use the update features to silently distribute software patches to their customers, Cooper said.

Paul Roberts writes for IDG News Service

Read more on IT innovation, research and development