Multiple AV vendor vulns - archived

[AplusWebMaster]

FYI...

Symantec ...having 2010 date problems
- http://isc.sans.org/diary.html?storyid=7870
Last Updated: 2010-01-04 17:22:08 UTC - "... post from Symantec:
- http://www.symantec.com/connect/foru...ed-04-jan-2010
... stating that Symantec Endpoint Protection Manager considers any definition update with a date newer than 11:59PM December 31 2009 will be considered out of date. They say they are working on a fix but are currently handling this by releasing new definitions with higher version numbers but the same date. This is impacting:
* Symantec Endpoint Protection v11.x Product Line
* Symantec Endpoint Protection Small Business Edition v12.x Product Line ..."
- http://service1.symantec.com/SUPPORT...10010308571348

[AplusWebMaster]

FYI...

F-secure - false alarm in show_ads.js
- http://www.f-secure.com/weblog/archives/00001865.html
January 25, 2010 - "Some of our antivirus products had a brief false alarm today. The alert was from a common Javascript file called show_ads.js. The false alarm was for a trojan called Trojan.JS.Redirector.ar. The false alarm has been fixed in our update 2010-01-25_17. This only affected our older products, such as the 2009 product range. F-Secure Internet Security 2010 had no issues. We apologize for the false alarm. Sorry."

[AplusWebMaster]

FYI...

Kaspersky - false positive
- http://www.theregister.co.uk/2010/01...alse_positive/
25 January 2010 16:06 GMT - "Updated: An update to Kaspersky's popular anti-virus software on Monday falsely identified Google AdSense as a malicious script. As a result of the false alarm, Kaspersky users visiting sites in Google ad syndication network were falsely warned a site was infected with malicious Trojan-linked JavaScript... 'An incorrect signature was added to the company's antivirus databases on 25 January at 07:00 Moscow time (GMT+3). As a result, Kaspersky Lab products erroneously blocked some legitimate websites containing the link on script http://pagead2.googlesyndication.com/pagead/show_ads.js , which is used in the contextual advertising system Google AdSense. When users visited an affected web resource, a message was displayed stating that the page contained the malicious program Trojan.JS.Redirector.ar. The problem was quickly resolved and by 19:00 Moscow time the company's products had stopped generating alerts for legitimate internet pages. Kaspersky Lab would like to apologize for any inconvenience this problem may have caused users...'..."

[AplusWebMaster]

FYI...

Symantec false positives...
- http://isc.sans.org/diary.html?storyid=8104
Last Updated: 2010-01-28 16:59:13 UTC - "... might be a false positive in Symantec's host based detection, flagging the Adobe Flash Installer as a Trojan Horse... Symantec is encouraging people that are affected to call Symantec support... Seems that the affected Revision is:
2010-01-27 rev 049..."

- http://www.theregister.co.uk/2010/01...y_false_alarm/
28 January 2010 - "...A misfiring anti-virus definition update caused Symantec's Norton security software to wrongly classified Spotify program files as malign and shuffled them off into quarantine. Symantec responded quickly to the problem by issuing a fix that quashed the false alarm. Even after they update their security software, Symantec users may still have to reinstall Spotify in order to listen to the service again..."

> ftp://ftp.symantec.com/AVDEFS/symant...ease/sequence/

[AplusWebMaster]

FYI...

avast! vuln - updates available
- http://secunia.com/advisories/38689/
Release Date: 2010-02-23
Impact: Privilege escalation, DoS
Where: Local system
Solution Status: Vendor Patch...
Solution: The vulnerability is fixed in version 5.0.418...

- http://secunia.com/advisories/38677/
Release Date: 2010-02-23
Impact: Privilege escalation, DoS
Where: Local system
Solution Status: Vendor Patch...
Solution: Update to version 5.0.418...

> http://forum.avast.com/index.php?topic=55484.0

- http://web.nvd.nist.gov/view/vuln/de...=CVE-2010-0705
Last revised: 02/26/2010
CVSS v2 Base Score: 7.2 (HIGH)

[AplusWebMaster]

FYI...

CA Service Desk Tomcat CSS vuln - workaround
- http://secunia.com/advisories/37606/
Release Date: 2010-02-23
Impact: Cross Site Scripting
Where: From remote
Solution Status: Vendor Workaround
Software: CA Service Desk 12.x
Original Advisory: CA20100222-01:
https://support.ca.com/irj/portal/an...ntentID=229526

- http://web.nvd.nist.gov/view/vuln/de...=CVE-2008-1947

CA eHealth Performance Manager CSS vuln - patch available
- http://secunia.com/advisories/38694/
Release Date: 2010-02-24
Impact: Cross Site Scripting
Where: From remote
Solution Status: Vendor Patch
Software: CA eHealth Performance Manager 6.x
Solution: Enable "Scan user input for potentially malicious HTML content". Please see the vendor's advisory for more information.
Original Advisory: CA20100223-01:
https://support.ca.com/irj/portal/an...ntentID=229652

- http://web.nvd.nist.gov/view/vuln/de...=CVE-2010-0640

Installation and Upgrade Issues... CA eHealth Performance Manager r6.1.x through r6.2
>>> https://support.ca.com/irj/portal/an...ntentID=227051

[AplusWebMaster]

FYI...

Faulty Update for 64 bit Operating Systems
- http://news.bitdefender.com/NW1431-e...g-Systems.html
22 March 2010

- http://forum.bullguard.com/forum/15/...sue_84115.html
22-03-2010

BitDefender 2010 - false positive on X64 systems
- http://isc.sans.org/diary.html?storyid=8464
Last Updated: 2010-03-21 00:44:19 UTC (Version: 2) - "... BitDefender 2010 appears to have released a set of bad definitions. Unfortunately, these bad virus definitions appear to detect core DLL files and even parts of BitDefender, itself, as infected by "Trojan.FakeAlert.5". There is quite a thread discussing this issue on the BitDefender Forums*. If you or your organization uses BitDefender, I would heavily recommend that you disable auto-update of the definitions until corrected ones are released soon. Also, I would recommend preparing to do a lot of hands-on clean up to reverse those files which were quarantined by accident.
Update: BitDefender has been sharing more information about this incident involving 64-bit architecture via their twitter account**. They point users to their knowledge base*** for more details on how to recover from this problem. I hope that beyond the initial response of this major issue, BitDefender and all antivirus vendors will recheck how they test, do quality assurance, and prepare to use social media as a communication tool for their customers in the case of an emergency."
* http://forum.bitdefender.com/index.p...pic=18759&st=0

** http://twitter.com/bitdefender/

*** http://www.bitdefender.com/site/Know.../consumer/#638
____

- http://www.krebsonsecurity.com/2010/...s-windows-pcs/
March 20, 2010

- http://twitter.com/bitdefender/status/10797005869
4:27 PM Mar 20th - "update: malware writers taking advantage of this update issue - please only use removal and fix tools from:
http://www.bitdefender.com/ ..."

[AplusWebMaster]

FYI...

ClamAV vuln - update available
- http://secunia.com/advisories/39329/
Release Date: 2010-04-07
Criticality level: Highly critical
Impact: Security Bypass, DoS, System access
Where: From remote
Solution Status: Vendor Patch
Software: Clam AntiVirus (clamav) 0.x
CVE Reference: CVE-2010-0098
Solution: Update to version 0.96.

- http://web.nvd.nist.gov/view/vuln/de...=CVE-2010-0098
Last revised: 04/09/2010
CVSS v2 Base Score: 10.0 (HIGH)

Download
- http://www.clamav.net/
Latest ClamAV stable release is: 0.96

Changelog
- http://git.clamav.net/gitweb?p=clama...eLog;hb=master

[AplusWebMaster]

FYI...

F-Secure advisory FSC-2010-1
- http://www.f-secure.com/en_EMEA/supp...sc-2010-1.html
2010-04-12
Security Advisory FSC-2010-1
Malformed archive bypass vulnerability

- http://secunia.com/advisories/39396/

[AplusWebMaster]

FYI...

McAfee DAT 5958 update issues
- http://isc.sans.org/diary.html?storyid=8656
Last Updated: 2010-04-21 19:22:30 UTC ...(Version: 2) - "McAfee's "DAT" file version 5958 is causing widespread problems with Windows XP SP3. The affected systems will enter a reboot loop and loose all network access. We have individual reports of other versions of Windows being affected as well. However, only particular configurations of these versions appear affected. The bad DAT file may infect individual workstations as well as workstations connected to a domain. The use of "ePolicyOrchestrator", which is used to update virus definitions across a network, appears to have lead to a faster spread of the bad DAT file. The ePolicyOrchestrator is used to update "DAT" files throughout enterprises. It can not be used to undo this bad signature because affected system will lose network connectivity. The problem is a false positive which identifies a regular Windows binary, "svchost.exe", as "W32/Wecorl.a", a virus. If you are affected, you will see a message like:
The file C:WINDOWSsystem32svchost.exe contains the W32/Wecorl.a Virus.
Undetermined clean error, OAS denied access and continued.
Detected using Scan engine version 5400.1158 DAT version 5958.0000.
McAfee released an updated DAT file, and an "EXTRA.DAT" file to fix the problem. An EXTRA.DAT file is a patch to just fix the bad signature. McAfee's support web sites currently respond slowly and are down at times, likely due to the increased load caused by this issue. Several readers reported that this procedure worked to recover:
1 - Boot the system in "Safe Mode"
2 - copy extra.dat in c:/program files/common files/mcafee/engine
3 - reboot.
If you lost "svchost.exe", then you need to copy it back to c:/Windows/system32/svchost.exe while in safe mode. This fix has to be applied locally at the workstation. However, it may be possible to do this remotely if your workstations support Intel's "vPro" technology. We should have a link to instructions shortly. Additional information from McAfee:
http://community.mcafee.com/thread/24056?tstart=0
McAfee Knowledgebase Article:
https://kc.mcafee.com/corporate/inde...ent&id=KB68780
EXTRA.DAT file:
http://home.mcafee.com/VirusInfo/Vir...spx?key=265240 ..."

Corporate or Business users
- http://vil.nai.com/vil/5958_false.htm
April 25, 2010 - Windows XP with SP3...
• If you receive a detection for w32/wecorl.a, Do not restart your computer until you have performed the remediation steps in this article...

Home Users
- http://service.mcafee.com/faqdocument.aspx?id=TS100969
___

- http://www.symantec.com/connect/blog...false-positive
April 22, 2010 - "... We have seen poisoned search results since the problem first surfaced. Search terms such as McAfee, 5958, or DAT are returning results that can lead to malicious and fake antivirus scan sites, resulting in the installation of malware... This attack by the malware creators is quite insidious since many of the people searching for information about this problem are most likely already affected by the problem and are looking for a solution using another computer..."