Multiple AV vendor vulns / updates / issues

MS AV def. performance issues...

FYI...

MS AV def. performance issues...
Update signature definitions to resolve performance issues in definitions starting with 1.141.2400.0
- https://blogs.technet.com/b/mmpc/ar...arting-with-1-141-2400-0.aspx?Redirected=true
27 Dec 2012 - "Some users of Microsoft antimalware products have reported a performance issue with signature definition versions starting with 1.141.2400.0 (12/21/2012 1920 UTC). The current definition files, since 1.141.2639.0 (12/27/2012 0625 UTC), resolve this issue. If you have a signature set in the affected range, please update to the current definition files*."
* http://www.microsoft.com/security/portal/definitions/adl.aspx

:fear:
 
MSE Update problems

FYI...

MSE Update problems
- http://h-online.com/-1791005
24 Jan 2013 - "On Saturday, Microsoft Security Essentials (MSE), Microsoft's free anti-virus software package, stopped automatically updating its malware signatures on some systems. Users are also reporting that clicking on the "Update" button on the program window likewise fails to deliver the anticipated results. The problem appears to have been present on affected systems since 19 January. Microsoft has -not- officially commented on the issue. The problem can apparently be resolved by downloading the malware signatures from Microsoft's Malware Protection Center*. The signatures consists of a 70 MB program which must be run with administrator privileges. When downloading, users need to make sure they get the right executable – different packages are required for the 32- and 64-bit versions of MSE. In addition, users should also install updated network access control rules, available separately from Microsoft**."
* https://www.microsoft.com/security/portal/definitions/adl.aspx?wa=wsignin1.0

** https://www.microsoft.com/security/portal/definitions/howtomse.aspx

:fear: :sad:
 
Kaspersky update hoses Internet access for XP users

FYI...

Kaspersky update hoses Internet access for XP users
- http://news.cnet.com/8301-1009_3-57...e-hoses-internet-access-for-windows-xp-users/
Feb 5, 2013 - "Windows XP users who run certain Kaspersky antivirus software may find themselves offline after downloading a new update... the update causes Windows XP computers to lose their connection to the Internet. IT administrators who use Kaspersky Endpoint Security at their organizations chimed into the Kaspersky forum yesterday and today complaining of connectivity problems. One person who manages around 12,000 computers with KES installed noted a slew of calls to the help desk from users knocked offline. Some IT admins said they were able to restore Internet access by shutting down the monitoring of certain ports or disabling the product's Web Anti-Virus component. But those were deemed temporary solutions at best. Kaspersky did eventually acknowledge the problem, announcing a fix* to the buggy update and offering a resolution..."
* "... Kaspersky Lab has fixed the issue that was causing the Web Anti-Virus component in some products to block Internet access. The error was caused by a database update that was released on Monday, February 4th, at 11:52 a.m., EST. At 5:31 p.m. the same day, the problem was fixed by a database update being uploaded to public servers..."

- http://forum.kaspersky.com/index.php?s=&showtopic=255508&view=findpost&p=1978848

- http://h-online.com/-1799641
7 Feb 2013

:sad: :fear:
 
Last edited:
AVG false positive on XP System32\wintrust.dll

FYI...

AVG false positive on XP System32\wintrust.dll
- http://h-online.com/-1823171
14 March 2013 - "On Thursday morning, the protection programs of AVG incorrectly identified the Windows system file wintrust.dll as a trojan of type "Generic32.FJU". Under certain circumstances, the virus hunting software has also labelled programs as malware if they attempted to access the supposed trojan DLL. The solution is a virus signature update. Only Windows XP systems were affected by the problem. Users who deleted the file from their system could not boot their computers any more. In this case, to help restore the system, boot it with the Rescue CD and take wintrust.dll from a still functioning system and copy that to C:\Windows\System32\. At least, according to AVG, the anti-virus software did not automatically delete or quarantine the wintrust.dll file, though other files will have to be moved back into place. The company says it fixed the problem by 12:45 on the same day with updates to virus database number 567 for AVG 9 and 2012 editions and virus database number 6174 for the current 2013 edition."
___

Kaspersky fixes IPv6 problem...
- http://h-online.com/-1822839
14 March 2013 - "Security researcher Marc Heuse discovered that the firewall in Kaspersky Internet Security 2013 has a problem with certain IPv6 packets. The researcher said that he publicly disclosed the details of the problem because Kaspersky didn't respond when he reported it. Shortly after his disclosure, Kaspersky did release a fix. A single packet is all that's required to completely cripple a Windows PC. When running tests with his IPv6 tool suite, Heuse discovered that KIS responds inappropriately to fragmented IPv6 packets that contain an overly long extension header. IPv6 support has been enabled by default since Windows Vista, therefore users would be vulnerable even without one of the still sparsely used IPv6 internet connections – for example on public Wi-Fi networks. Kaspersky has now confirmed the problem for Kaspersky Internet Security 2013, Kaspersky Pure 3.0 and Kaspersky Endpoint Security 10 for Windows. "A non-public patch [for Kaspersky Internet Security 2013] is already available from our support department on request, and an autopatch that will fix the problem automatically will be released in the near future"..."

:fear: :sad:
 
Last edited:
ClamAV, McAfee updates ...

FYI...

ClamAV v0.97.7 released
- https://secunia.com/advisories/52647/
Release Date: 2013-03-18
Criticality level: Moderately critical
Impact: Unknown
Where: From remote
... vulnerabilities are reported in version 0.97.6. Prior versions may also be affected.
Solution: Update to version 0.97.7.
Original Advisory: ClamAV:
http://blog.clamav.net/2013/03/clamav-0977-has-been-released.html
March 15, 2013

McAfee Vulnerability Manager hotfix...
- https://secunia.com/advisories/52688/
Release Date: 2013-03-18
Impact: Cross Site Scripting
Where: From remote
... vulnerability is reported in versions 7.5.0 and 7.5.1.
Solution: Apply hotfix (please see the vendor's advisory for details*). The vendor is planning to release a MVM 7.5.2 patch at the end of March...
Original Advisory:
* https://kc.mcafee.com/corporate/index?page=content&id=KB77772
March 15, 2013

:fear::fear:
 
Sophos Web Appliance v3.7.8.2 released

FYI...

Sophos Web Appliance v3.7.8.2 released
- https://secunia.com/advisories/52814/
Release Date: 2013-04-03
Criticality level: Moderately critical
Impact: Cross Site Scripting, Exposure of sensitive information, System access
Where: From remote
CVE Reference(s): CVE-2013-2641, CVE-2013-2642, CVE-2013-2643
... vulnerabilities are reported in versions prior to 3.7.8.2.
Solution: Update to version 3.7.8.2.
Original Advisory: Sophos:
http://www.sophos.com/en-us/support/knowledgebase/118969.aspx

- http://h-online.com/-1834672
3 April 2013

:fear::fear:
 
Last edited:
Malwarebytes def. file update wipes out thousands of computers

FYI...

Malwarebytes def. file update wipes out thousands of computers
- http://www.theinquirer.net/inquirer...urity-update-wipes-out-thousands-of-computers
Apr 17 2013 - "... Malwarebytes has wiped out thousands of computers around the world with a faulty security update, mistaking legitimate system files as malware code. The security firm confessed to the mistake in a blog post on Tuesday, and assured firms that the update has since been pulled... The update definition made it so Malwarebytes protection software treated essential Windows .dll and .exe files as malware, stopping them from running and thus knocking IT systems and PCs offline..."
> http://blog.malwarebytes.org/news/2013/04/yesterdays-database-update-issue/
April 16, 2013

> http://forums.malwarebytes.org/index.php?showtopic=125138

:sad: :fear:
 
McAfee ePolicy Orchestrator - multiple vulns

FYI...

McAfee ePolicy Orchestrator - multiple vulns
- https://secunia.com/advisories/53159/
Release Date: 2013-04-22
Criticality level: Highly critical
Impact: Exposure of sensitive information, System access
Where: From remote
Software: McAfee ePolicy Orchestrator 4.x
CVE Reference(s):
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0169 - 2.6
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1484 - 10.0 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1485 - 5.0
... weakness and vulnerabilities are reported in versions 4.6.5 and prior.
Solution: Update to version 4.6.6 or 5.0.
Original Advisory: SB10041:
https://kc.mcafee.com/corporate/index?page=content&id=SB10041
Last Modified: April 24, 2013

- https://kc.mcafee.com/corporate/index?page=content&id=SB10042
Last Modified: April 26, 2013 - "... The remediation plan is to patch the currently supported versions of ePO 4.5 and 4.6 beginning with patch 4.6.6 and 4.5.7..."

- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0140 - 7.9 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0141 - 4.3

- http://www.kb.cert.org/vuls/id/209131
Last revised: 29 Apr 2013

- http://h-online.com/-1854555
2 May 2013

:fear:
 
Last edited:
Symantec + McAfee - multiple vulns/updates

FYI...

Symantec Web Gateway Security Issues - SYM13-008
- https://www.symantec.com/security_r...pvid=security_advisory&year=&suid=20130725_00
July 25, 2013
- http://www.securitytracker.com/id/1028836
CVE Reference: CVE-2013-1616, CVE-2013-1617, CVE-2013-4670, CVE-2013-4671, CVE-2013-4672, CVE-2013-4673
Jul 26 2013
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 5.1.0 and prior...
Solution: The vendor has issued a fix (5.1.1)...

McAfee ePolicy Orchestrator - updated
- https://kc.mcafee.com/corporate/index?page=content&id=KB78824
July 19, 2013
McAfee Network Threat Behavior Analysis...
- http://www.securitytracker.com/id/1028826
Jul 24 2013
Impact: Root access via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 7.1, 7.5
Solution: The vendor has issued a fix (7.1.3.21, 7.5.3.30).
The vendor's advisory is available at:
- https://kc.mcafee.com/corporate/index?page=content&id=SB10045

Exploit Tool Targets Vulnerabilities in McAfee ePolicy Orchestrator (ePO)
- https://www.us-cert.gov/ncas/alerts/TA13-193A
July 12, 2013
___

CA Service Desk Manager - flaw permits Cross-Site Scripting Attacks
- http://www.securitytracker.com/id/1028835
CVE Reference: CVE-2013-2630
July 26 2013
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available: Yes Vendor Confirmed: Yes
Version(s): Manager 12.5, 12.6, 12.7
Description: A vulnerability was reported in CA Service Desk Manager. A remote user can conduct cross-site scripting attacks...
Solution: The vendor has issued a fix...
The vendor's advisory is available at:
- http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={8C50A6C7-8633-45A8-A0A6-3D454437AD53}
Platform: Windows, Sun, AIX, Linux
Affected Products: CA Service Desk Manager 12.5, 12.6, 12.7

- https://krebsonsecurity.com/2013/07/security-vendors-do-no-harm-heal-thyself/
July 26, 2013

:fear::fear:
 
Last edited:
McAfee Artemis/GTI File Reputation False Positive

FYI...

McAfee Artemis/GTI File Reputation False Positive
- https://isc.sans.edu/diary.html?storyid=16264
Last Updated: 2013-07-31 23:06:26 UTC - "... readers reporting false postive issues with McAffees GTI and Artemis products. According to a knowledgebase article on McAfee's site, it appears that the file reputation system is producing bad results due to a server issue [1]..."

[1] https://kc.mcafee.com/corporate/index?page=content&id=KB78993
Artemis false positive detections from Global Threat Intelligence
Last Modified: August 01, 2013 - "... updated as additional information becomes available. Please check back for more information.
Problem: McAfee has determined that Artemis/GTI File Reputation is producing some false-positive detections due to a server issue.
IMPORTANT: This is not an issue with the current McAfee DAT files.
Cause: This issue was caused by specific Global Threat Intelligence servers.
Solution: McAfee is investigating this issue. This article will be updated as additional information becomes available...
IMPORTANT: If you have files that were incorrectly detected, do not restart your systems. This could cause the files to be unrecoverable.
See the following workarounds for instructions to recover from this issue..."

- https://isc.sans.edu/forums/diary/McAfee+ArtemisGTI+File+Reputation+False+Positive/16264
"... A remediation tool is now available. Customers with quarantined files should access KB78993 ( https://kc.mcafee.com/corporate/index?page=content&id=KB78993 ) to download the remediation tool and recover the quarantined files."

:sad::fear::fear:
 
Last edited:
Sophos Web Appliance - updates

FYI...

Sophos Web Appliance - updates
- http://www.sophos.com/en-us/support/knowledgebase/119773.aspx
Updated: 9 Sep 2013 - "... resolved with the 3.7.9.1 and 3.8.1.1 releases of the Sophos Web Appliance software..."

- https://isc.sans.edu/diary.html?storyid=16526
Last Updated: 2013-09-09 12:55:06 UTC

- http://www.coresecurity.com/advisories/sophos-web-protection-appliance-multiple-vulnerabilities
2013-09-06

- http://www.securitytracker.com/id/1028984
CVE Reference:
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4983
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4984
Sep 6 2013
Impact: Execution of arbitrary code via network, Root access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 3.7.9 and prior, 3.8.0 and 3.8.1 ...
Solution: The vendor has issued a fix (3.7.9.1, 3.8.1.1).

- http://www.theregister.co.uk/2013/09/09/sophos_patches_web_appliance_vuln/
9 Sep 2013

:fear::fear:
 
Kaspersky false positive ...

FYI...

Kaspersky false positive ...
- https://isc.sans.edu/diary.html?storyid=16904
Last Updated: 2013-10-25 17:41:34 UTC - "... Kaspersky AV has identified tcpip.sys as malware on his Windows 7 32bit hosts - the file is flagged as "HEUR:Trojan.Win32.Generic". Fortunately, Microsoft's Windows File Protection feature ( https://support.microsoft.com/kb/222193 ) prevented it from quarantining this critical file... Kaspersky has verified... that this is resolved in their latest update. If you're seeing this issue, get your AV to "phone home" for the fix!"

:fear::fear:
 
SYM14-013 Symantec Endpoint 0-day vuln ...

FYI...

SYM14-013 Symantec Endpoint 0-day vuln ...
- http://www.symantec.com/business/support/index?page=content&id=TECH223338
2014-07-29 | Updated: 2014-08-04 - "... Solution: Symantec product engineers have verified these issues and have released critical updates to resolve them. Currently Symantec is not aware of exploitation of or adverse impact on our customers due to this issue. The issue, as reported, affects the Application and Device Control component of Symantec Endpoint Protection. This vulnerability is not accessible remotely and only affects SEP clients actually running Application and Device Control. If the vulnerability is exploited by accessing the computer directly, it could result in a client crash, denial of service, or, if successful, escalate to admin privileges and gain control of the computer. This vulnerability affects all versions of Symantec Endpoint Protection clients 11.x and 12.x running Application and Device Control...
- Mitigation: Symantec Endpoint Protection 12.1 Release Update 4 Maintenance Patch 1b (RU4 MP1b) is available currently in English on Symantec FileConnect. See Obtaining the latest version of Symantec Endpoint Protection or Symantec Network Access Control for additional instruction on downloading this release. All supported languages will be released to FileConnect as soon as they are available. This Knowledge Base article will be updated as further information becomes available. Please subscribe to this document to receive update notifications automatically. This version updates the Symantec Endpoint Protection clients to 12.1.4112.4156 to address this issue. There are no updates to the Symantec Endpoint Protection Manager included with this release. This Symantec Endpoint Protection client update is a complete release and accepts migrations from any previous release of the Symantec Endpoint Protection 11.0 and 12.1 product line. Symantec Endpoint Protection 12.1 for Small Business is not affected, so there are no updates to the product for this issue...
(More detail at the symantec URL above.)

- http://www.symantec.com/security_re...pvid=security_advisory&year=&suid=20140804_00
Aug 4, 2014

- http://www.kb.cert.org/vuls/id/252068
4 Aug 2014

- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3434
___

- https://www.computerworld.com/s/art...ilege_escalation_flaws_in_Endpoint_Protection
Aug 6, 2014 - "Symantec has released a patch for privilege escalation flaws in its Endpoint Protection product, and the company which found the issues released the exploit code on Tuesday..."
___

Certificate error occurs when attempting to install or upgrade Symantec Endpoint Protection
- http://www.symantec.com/business/support/index?page=content&id=TECH218029
Updated: 2014-08-06

:fear::fear:
 
Last edited:
McAfee / Fortinet - Bash Shellshock Code ...

FYI...

McAfee Security Bulletin - Bash Shellshock Code Injection Exploit Updates
- https://kc.mcafee.com/corporate/index?page=content&id=SB10085
Last Modified: 10/6/2014
CVE Number: CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187
US CERT Number: CERT/CC VU#252743
Red Hat Advisory RHBA-2013:1096-1
Exploit Database EDB-ID: 34766
Severity Rating: High
Base/Overall CVSS Score: 10.0 / 9.0 (All CVEs listed above)
Recommendations: Deploy the remediation signatures/rules first. Update product patches/hotfixes as they become available.
McAfee Product Vulnerability Status: Investigation into all McAfee products is ongoing. This security bulletin will be updated at least -daily- as additional information and patches are made available.
Location of Updated Software: http://www.mcafee.com/us/downloads/downloads.aspx
(More detail at the first mcafee URL at the top of this post.)

Remediation: https://kc.mcafee.com/corporate/index?page=content&id=SB10085#remediation

- http://www.securitytracker.com/id/1030985
CVE Reference: CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187
Oct 9 2014
___

Fortinet - GNU Bash Multiple vulns
- http://blog.fortinet.com/post/shellshock-faq
V 1.4 Sep 29 2014 - "This document will be updated and maintained as new or updated information becomes available. Continue to check this page for updates... FortiGuard Labs is currently investigating and will provide updated IPS and AV signatures if appropriate... It is important to note that FortiOS is not affected by Shellshock. FortiOS does -not- use the Bash shell... Ensure you have appropriate IPS signatures deployed to monitor and mitigate any potential attacks on your infrastructure. Fortinet issued an update* to our customers with IPS signatures to detect and prevent Shellshock attacks. This signature is available for download via FDN..."
* Latest 2014-10-02: http://www.fortiguard.com/updates/ips.html?version=5.554

- http://www.fortiguard.com/advisory/FG-IR-14-030/

:fear::fear:
 
Last edited:
ClamAV multiple vulnerabilities - updates available

FYI...

ClamAV multiple vulnerabilities - updates available
- https://secunia.com/advisories/62542/
Release Date: 2014-11-27
Criticality: Highly Critical
Where: From remote
Impact: System access
Solution Status: Vendor Patch...

- http://www.securitytracker.com/id/1031267
CVE Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6497
Nov 27 2014
Impact: Denial of service via network
Fix Available: Yes Vendor Confirmed: Yes ...
Version(s): prior to 0.98.5
Description: A vulnerability was reported in Clam AntiVirus. A remote or local user can cause denial of service conditions.
Impact: A user can cause the target service to crash...
Solution: The vendor has issued a fix (0.98.5)...

- http://www.securitytracker.com/id/1031268
CVE Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9050
Nov 27 2014
Impact: Denial of service via network, Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 0.98.5
Impact: A remote user can create a file that, when loaded by the target user, will execute arbitrary code on the target user's system.
A remote user can cause denial of service conditions...
The vendor's advisory is available at:
- http://blog.clamav.net/2014/11/clamav-0985-has-been-released.html
Nov 18 2014 - "... ClamAV 0.98.5 includes new features and bug fixes..."

> http://www.clamav.net/download.html

- http://www.clamav.net/about.html

- http://www.clamav.net/doc/install.html

- https://twitter.com/clamav

:fear::fear:
 
Last edited:
Back
Top