Multiple AV vendor vulns - archived

Multiple Symantec vulns / updates / issues

FYI...

Symantec SYM09-010 - Symantec Products KeyView XLS Processing Buffer Overflow
- http://secunia.com/advisories/36421/2/
Release Date: 2009-08-26
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
OS: Symantec Brightmail Gateway 8.x, Symantec Mail Security Appliance 5.0.x ...
Solution: Please see the vendor advisory for a patch matrix.
Symantec (SYM09-010): http://preview.tinyurl.com/mp5rza ...

Norton 2009 product or Norton 360 Version 3.0 - Error: "Symantec Service Framework has encountered a problem and needs to close..." after you install the latest updates
- http://www.symantec.com/norton/support/kb/web_view.jsp?wv_type=public_web&docurl=20090821103237EN
Last modified: 08/25/2009 - "Download and run the fix tool
1. Download the fix tool*.
Save the file to the Windows desktop.
DOWNLOAD
2. On the Windows desktop, double-click KB20090821103237EN.exe.
3. In the Open File - Security Warning window, click Run.
4. In the Norton Hotfix window, click Yes.
5. Accept the license agreement, and click OK.
6. Follow the on-screen instructions.
Restart your computer... In some cases you may need to restart the computer twice to apply the hotfix correctly. After you run the fix tool and restart the computer, if you still see this error message, restart the computer once again.
DOCID: 20090821103237EN
Operating System: Windows Vista, Windows XP
* ftp://ftp.symantec.com/public/english_us_canada/hotfix/KB20090821103237EN.exe

:fear::fear:
 
CA Anti-Virus Engine vuln...

FYI...

CA Anti-Virus Engine - CA20091008-01
- http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=218878
"... CA has issued fixes to address the vulnerabilities.
The first vulnerability, CVE-2009-3587, is due to improper handling of a specially crafted RAR archive file by the CA Anti-Virus engine arclib component. An attacker can create a malformed RAR archive file that results in heap corruption and allows the attacker to cause a denial of service or possibly further compromise the system.
The second vulnerability, CVE-2009-3588, is due to improper handling of a specially crafted RAR archive file by the CA Anti-Virus engine arclib component. An attacker can create a malformed RAR archive file that results in stack corruption and allows the attacker to cause a denial of service.
... If the file version is earlier than indicated below, the installation is vulnerable.
File Name File Version
arclib.dll 8.1.4.0
> For eTrust Intrusion Detection 2.0, the file is located in "Program Files\eTrust\Intrusion Detection\Common", and for eTrust Intrusion Detection 3.0 and 3.0 sp1, the file is located in "Program Files\CA\Intrusion Detection\Common".
> For CA Anti-Virus r8.1 on non-Windows platforms:
Use the compver utility provided on the CD to determine the version of Arclib. If the version is less than 8.1.4.0, the installation is vulnerable..."

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3587

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3588

:fear:
 
F-Secure PDF handling vuln - update available

FYI...

F-Secure PDF handling vuln - update available
- http://secunia.com/advisories/37192/2/
Release Date: 2009-10-29
Impact: Security Bypass
Where: From remote
Solution Status: Vendor Patch...
Original Advisory: F-Secure:
http://www.f-secure.com/en_EMEA/support/security-advisory/fsc-2009-3.html
Last updated: 2009-10-29
Risk level: High
"... A fix for the problem has been distributed through the malware definition database update channel. This advisory only affects systems that, for some reason, are not updated automatically..."

:fear::blink:
 
Kaspersky AV vuln - update available

FYI...

Kaspersky AV vuln - update available
- http://secunia.com/advisories/37398/2/
Release Date: 2009-11-18
Impact: DoS
Where: Local system
Solution Status: Vendor Patch
Software: Kaspersky Anti-Virus 2010
Solution: Update to version 9.0.0.736.
Original Advisory:
http://sysdream.com/article.php?story_id=323&section_id=78
"... Patch Updated: 2009/11/16..." (?)

- http://www.kaspersky.com/kav_latest_versions

- http://usa.kaspersky.com/support/ho...arch=900463+pointer+dereference+vulnerability
October 21, 2009

:fear:
 
Last edited:
ClamAV v0.95.3 released

FYI...

ClamAV v0.95.3 released
- http://www.clamav.net/download/sources
Latest stable release: ClamAV 0.95.3...

- http://wiki.clamav.net/bin/view/Main/UpgradeNotes0953
If you have trouble compiling ClamAV please apply this patch (see bug #1737)
You can apply the patch ...
- http://wiki.clamav.net/pub/Main/UpgradeNotes0953/patch-0.95.3-bug1737.diff

- http://wiki.clamav.net/Main/UninstallClamAV
... Make sure that you haven’t got old libraries (libclamav.so) lying around your filesystem. You can verify it using: $ ldd `which freshclam`
Also make sure there is really only one version of ClamAV installed on your system...

- http://www.clamwin.com/content/view/220/1/
11 November 2009

- http://www.securityfocus.com/bid/35410/info
Updated: Nov 18 2009 05:16PM

:fear::fear:
 
Last edited:
Avast false positives - fix released

FYI...

Avast false positives - fix released
- http://isc.sans.org/diary.html?storyid=7681
Last Updated: 2009-12-03 11:04:57 UTC - "We have received a number of reports of Avast Antivirus false positives... With a recent update the Avast antivirus product have started identifying legitimate products as containing Win32-Dell-MZG...
Update:
A new update was released fixing the issue. 091203-1. If you haven't used your computer between 12:00am UTC and 5.50 am UTC, then you will receive the new update and you should be fine. For those that were affected I recommend you keep an eye on the Avast blog http://forum.avast.com/index.php?topic=51647 as they are working on some how to's to help fix any issues."

:fear::fear:
 
Kaspersky - Insecure default directory permissions

FYI...

Kaspersky - Insecure default directory permissions
- http://secunia.com/advisories/37730/2/
Release Date: 2009-12-17
Impact: Privilege escalation
Where: Local system
Solution Status: Vendor Patch
Software:
Kaspersky Anti-Virus for Windows Server 6.x
Kaspersky Anti-Virus for Windows Workstations 6.x
Kaspersky Internet Security 9.x ...
Solution:
Kaspersky Internet Security 2010:
Update to version 9.0.0.736.
Kaspersky Anti-Virus 6.0 for Windows Workstations:
Update to version 6.0.4.1212.
Kaspersky Anti-Virus 6.0 for Windows File Servers:
Update to version 6.0.4.1212...

- http://www.kaspersky.com/kav_latest_versions

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4114

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4452

:fear:
 
Last edited:
Symantec ...having 2010 date problems

FYI...

Symantec ...having 2010 date problems
- http://isc.sans.org/diary.html?storyid=7870
Last Updated: 2010-01-04 17:22:08 UTC - "... post from Symantec:
- http://www.symantec.com/connect/for...ions-stay-31-12-2009-last-updated-04-jan-2010
... stating that Symantec Endpoint Protection Manager considers any definition update with a date newer than 11:59PM December 31 2009 will be considered out of date. They say they are working on a fix but are currently handling this by releasing new definitions with higher version numbers but the same date. This is impacting:
* Symantec Endpoint Protection v11.x Product Line
* Symantec Endpoint Protection Small Business Edition v12.x Product Line ..."
- http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010010308571348

:sad:
 
F-secure - false alarm in show_ads.js

FYI...

F-secure - false alarm in show_ads.js
- http://www.f-secure.com/weblog/archives/00001865.html
January 25, 2010 - "Some of our antivirus products had a brief false alarm today. The alert was from a common Javascript file called show_ads.js. The false alarm was for a trojan called Trojan.JS.Redirector.ar. The false alarm has been fixed in our update 2010-01-25_17. This only affected our older products, such as the 2009 product range. F-Secure Internet Security 2010 had no issues. We apologize for the false alarm. Sorry."

:sad:
 
Kaspersky - false positive

FYI...

Kaspersky - false positive
- http://www.theregister.co.uk/2010/01/25/kaspersky_adsense_false_positive/
25 January 2010 16:06 GMT - "Updated: An update to Kaspersky's popular anti-virus software on Monday falsely identified Google AdSense as a malicious script. As a result of the false alarm, Kaspersky users visiting sites in Google ad syndication network were falsely warned a site was infected with malicious Trojan-linked JavaScript... 'An incorrect signature was added to the company's antivirus databases on 25 January at 07:00 Moscow time (GMT+3). As a result, Kaspersky Lab products erroneously blocked some legitimate websites containing the link on script http://pagead2.googlesyndication.com/pagead/show_ads.js , which is used in the contextual advertising system Google AdSense. When users visited an affected web resource, a message was displayed stating that the page contained the malicious program Trojan.JS.Redirector.ar. The problem was quickly resolved and by 19:00 Moscow time the company's products had stopped generating alerts for legitimate internet pages. Kaspersky Lab would like to apologize for any inconvenience this problem may have caused users...'..."

:fear:
 
Symantec false positives...

FYI...

Symantec false positives...
- http://isc.sans.org/diary.html?storyid=8104
Last Updated: 2010-01-28 16:59:13 UTC - "... might be a false positive in Symantec's host based detection, flagging the Adobe Flash Installer as a Trojan Horse... Symantec is encouraging people that are affected to call Symantec support... Seems that the affected Revision is:
2010-01-27 rev 049..."

- http://www.theregister.co.uk/2010/01/28/symantec_spotify_false_alarm/
28 January 2010 - "...A misfiring anti-virus definition update caused Symantec's Norton security software to wrongly classified Spotify program files as malign and shuffled them off into quarantine. Symantec responded quickly to the problem by issuing a fix that quashed the false alarm. Even after they update their security software, Symantec users may still have to reinstall Spotify in order to listen to the service again..."

> ftp://ftp.symantec.com/AVDEFS/symantec_antivirus_corp/rapidrelease/sequence/

:fear:
 
Last edited:
avast! vuln - updates available

FYI...

avast! vuln - updates available
- http://secunia.com/advisories/38689/
Release Date: 2010-02-23
Impact: Privilege escalation, DoS
Where: Local system
Solution Status: Vendor Patch...
Solution: The vulnerability is fixed in version 5.0.418...

- http://secunia.com/advisories/38677/
Release Date: 2010-02-23
Impact: Privilege escalation, DoS
Where: Local system
Solution Status: Vendor Patch...
Solution: Update to version 5.0.418...

> http://forum.avast.com/index.php?topic=55484.0

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0705
Last revised: 02/26/2010
CVSS v2 Base Score: 7.2 (HIGH)

:fear:
 
Last edited:
CA CSS vulns...

FYI...

CA Service Desk Tomcat CSS vuln - workaround
- http://secunia.com/advisories/37606/
Release Date: 2010-02-23
Impact: Cross Site Scripting
Where: From remote
Solution Status: Vendor Workaround
Software: CA Service Desk 12.x
Original Advisory: CA20100222-01:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=229526

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-1947

CA eHealth Performance Manager CSS vuln - patch available
- http://secunia.com/advisories/38694/
Release Date: 2010-02-24
Impact: Cross Site Scripting
Where: From remote
Solution Status: Vendor Patch
Software: CA eHealth Performance Manager 6.x
Solution: Enable "Scan user input for potentially malicious HTML content". Please see the vendor's advisory for more information.
Original Advisory: CA20100223-01:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=229652

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0640

Installation and Upgrade Issues... CA eHealth Performance Manager r6.1.x through r6.2
>>> https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=227051

:fear:
 
Last edited:
BitDefender false positive on X64 systems

FYI...

Faulty Update for 64 bit Operating Systems
- http://news.bitdefender.com/NW1431-en--Faulty-Update-for-64-bit-Operating-Systems.html
22 March 2010

- http://forum.bullguard.com/forum/15/TrojanFakeAlert5-Update-issue_84115.html
22-03-2010

BitDefender 2010 - false positive on X64 systems
- http://isc.sans.org/diary.html?storyid=8464
Last Updated: 2010-03-21 00:44:19 UTC (Version: 2) - "... BitDefender 2010 appears to have released a set of bad definitions. Unfortunately, these bad virus definitions appear to detect core DLL files and even parts of BitDefender, itself, as infected by "Trojan.FakeAlert.5". There is quite a thread discussing this issue on the BitDefender Forums*. If you or your organization uses BitDefender, I would heavily recommend that you disable auto-update of the definitions until corrected ones are released soon. Also, I would recommend preparing to do a lot of hands-on clean up to reverse those files which were quarantined by accident.
Update: BitDefender has been sharing more information about this incident involving 64-bit architecture via their twitter account**. They point users to their knowledge base*** for more details on how to recover from this problem. I hope that beyond the initial response of this major issue, BitDefender and all antivirus vendors will recheck how they test, do quality assurance, and prepare to use social media as a communication tool for their customers in the case of an emergency."
* http://forum.bitdefender.com/index.php?showtopic=18759&st=0

** http://twitter.com/bitdefender/

*** http://www.bitdefender.com/site/KnowledgeBase/consumer/#638
____

- http://www.krebsonsecurity.com/2010/03/bad-bitdefender-antivirus-update-hobbles-windows-pcs/
March 20, 2010

- http://twitter.com/bitdefender/status/10797005869
4:27 PM Mar 20th - "update: malware writers taking advantage of this update issue - please only use removal and fix tools from:
http://www.bitdefender.com/ ..."

:fear::sad:
 
Last edited:
ClamAV vuln - update available

FYI...

ClamAV vuln - update available
- http://secunia.com/advisories/39329/
Release Date: 2010-04-07
Criticality level: Highly critical
Impact: Security Bypass, DoS, System access
Where: From remote
Solution Status: Vendor Patch
Software: Clam AntiVirus (clamav) 0.x
CVE Reference: CVE-2010-0098
Solution: Update to version 0.96.

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0098
Last revised: 04/09/2010
CVSS v2 Base Score: 10.0 (HIGH)

Download
- http://www.clamav.net/
Latest ClamAV stable release is: 0.96

Changelog
- http://git.clamav.net/gitweb?p=clamav-devel.git;a=blob_plain;f=ChangeLog;hb=master

:fear:
 
Last edited:
McAfee DAT 5958 update issues...

FYI...

McAfee DAT 5958 update issues
- http://isc.sans.org/diary.html?storyid=8656
Last Updated: 2010-04-21 19:22:30 UTC ...(Version: 2) - "McAfee's "DAT" file version 5958 is causing widespread problems with Windows XP SP3. The affected systems will enter a reboot loop and loose all network access. We have individual reports of other versions of Windows being affected as well. However, only particular configurations of these versions appear affected. The bad DAT file may infect individual workstations as well as workstations connected to a domain. The use of "ePolicyOrchestrator", which is used to update virus definitions across a network, appears to have lead to a faster spread of the bad DAT file. The ePolicyOrchestrator is used to update "DAT" files throughout enterprises. It can not be used to undo this bad signature because affected system will lose network connectivity. The problem is a false positive which identifies a regular Windows binary, "svchost.exe", as "W32/Wecorl.a", a virus. If you are affected, you will see a message like:
The file C:WINDOWSsystem32svchost.exe contains the W32/Wecorl.a Virus.
Undetermined clean error, OAS denied access and continued.
Detected using Scan engine version 5400.1158 DAT version 5958.0000.
McAfee released an updated DAT file, and an "EXTRA.DAT" file to fix the problem. An EXTRA.DAT file is a patch to just fix the bad signature. McAfee's support web sites currently respond slowly and are down at times, likely due to the increased load caused by this issue. Several readers reported that this procedure worked to recover:
1 - Boot the system in "Safe Mode"
2 - copy extra.dat in c:/program files/common files/mcafee/engine
3 - reboot.
If you lost "svchost.exe", then you need to copy it back to c:/Windows/system32/svchost.exe while in safe mode. This fix has to be applied locally at the workstation. However, it may be possible to do this remotely if your workstations support Intel's "vPro" technology. We should have a link to instructions shortly. Additional information from McAfee:
http://community.mcafee.com/thread/24056?tstart=0
McAfee Knowledgebase Article:
https://kc.mcafee.com/corporate/index?page=content&id=KB68780
EXTRA.DAT file:
http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=265240 ..."

Corporate or Business users
- http://vil.nai.com/vil/5958_false.htm
April 25, 2010 - Windows XP with SP3...
• If you receive a detection for w32/wecorl.a, Do not restart your computer until you have performed the remediation steps in this article...

Home Users
- http://service.mcafee.com/faqdocument.aspx?id=TS100969
___

- http://www.symantec.com/connect/blogs/malware-authors-taking-advantage-mcafee-false-positive
April 22, 2010 - "... We have seen poisoned search results since the problem first surfaced. Search terms such as McAfee, 5958, or DAT are returning results that can lead to malicious and fake antivirus scan sites, resulting in the installation of malware... This attack by the malware creators is quite insidious since many of the people searching for information about this problem are most likely already affected by the problem and are looking for a solution using another computer..."

:fear::sad:
 
Last edited:
You must log in or register to reply here.
Back
Top