[LBNL-MUG]Fwd: Fwd: MacFixIt Article:Highly critical; Flaw in

I had forwarded Michael's email to the LBL MUG list since LBL too has
a site license, and Annette had this response--thought you'd all like
to read it too. - marilyn

>Resent-Date: Thu, 22 Dec 2005 13:46:14 -0800 (PST)
>Date: Thu, 22 Dec 2005 13:46:14 -0800 (PST)
>To: mug@listserv.lbl.gov
>
>From: Annette Greiner <amgreiner@lbl.gov>
>Subject: [LBNL-MUG]Fwd: [MAGNet] Fwd: MacFixIt Article:Highly
>critical; Flaw in
>Resent-Sender: mug-request@lbl.gov
>
>Thought I'd point out, because it isn't obvious from the email
>thread, that Norton Antivirus Corporate Edition is listed on the
>Symantec site as not vulnerable. That's the version the lab distributes.
>-Annette
>~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
>Annette Greiner
>Web Developer
>Genome Data Systems
>DOE Joint Genome Institute
>2800 Mitchell Dr.
>Walnut Creek, CA 94598
>925-296-5728
>amgreiner@lbl.gov
>www.jgi.doe.gov
>
>
>
>On Dec 22, 2005, at 12:20 PM, Marilyn Saarni wrote:
>
>>> Date: Thu, 22 Dec 2005 10:49:28 -0800
>>> To: Michael Rimar <mrmr@berkeley.edu>, magnet-list@lists.berkeley.edu
>>> From: Ian Crew <icrew@berkeley.edu>
>>> Subject: Re: [MAGNet] Fwd: MacFixIt Article:Highly critical; Flaw in
>>> discovered in Symantec AntiVirus
>>> Sender: owner-magnet-list@lists.berkeley.edu
>>>
>>> Symantec's posted a page about the problem at:
>>>
>>> http://securityresponse.symantec.com/avcenter/security/Content/
>>> 2005.12.21b.html
>>>
>>> Ian
>>>
>>> At 8:56 AM -0800 12/22/05, Michael Rimar wrote:
>>>> Hi
>>>>
>>>> Someone forwarded me this article and I'm trying to assess its
>>>> importance in my environment. I was not aware of the RAR format
>>>> and haven't encountered a need to decompress such a file.
>>>>
>>>> We have 6 basic level users on various version of OS 10.X. What's
>>>> your impression? Feedback appreciated...
>>>>
>>>> Michael
>>>>
>>>>>>
>>>>>> <http://www.macfixit.com/index.php>
>>>>>> <http://www.techtracker.com>TechTracker Network |
>>>>>> <http://www.versiontracker.com>VersionTracker |
>>>>>> <http://www.techtracker.com/developer>Developers|
>>>>>>
>>>>>>
>>>>>> <http://www.macfixit.com/staticpages/index.php?
>>>>>> page=20021011161622212>
>>>>>> Email Us |
>>>>>> <http://www.macfixit.com/staticpages/index.php?
>>>>>> page=20021011160220586>
>>>>>> About MFI <http://www.macfixit.com/search.php>Advanced
>>>>>> Search<http://www.macfixit.com/search.php> ]
>>>>>>
>>>>>>
>>>>>> \"Highly critical\" Flaw in discovered in
>>>>>> Symantec AntiVirus
>>>>>> Wednesday, December 21 2005 @ 09:30 AM PST
>>>>>> Secure OS X <http://www.secureosx.com/symantec/antivirus>reports
>>>>>> on a "highly critical" flaw that has been discovered in
>>>>>> Symantec's AntiVirus software for Mac OS X.
>>>>>> The vulnerability occurs when AntiVirus is decompressing files
>>>>>> compressed in the RAR format for scanning. When AntiVirus is
>>>>>> performing this operation, it is susceptible to to multiple heap
>>>>>> overflows allowing attackers complete control of the system(s)
>>>>>> being protected.
>>>>>> Secure OS X reports:
>>>>>> "These vulnerabilities can be exploited remotely without user
>>>>>> interaction in default configurations through common protocols
>>>>>> such as SMTP.
>>>>>> "Successful exploitation of Symantec protected systems allows
>>>>>> attackers unauthorized control of data and related privileges. It
>>>>>> also provides leverage for further network compromise. Symantec
>>>>>> implementations are likely vulnerable in their default
>>>>>> configuration. In default configurations users are likely
>>>>>> vulnerable regardless of whether ! they choose to open or read
>>>>>> the email."
>>>>>> The only solution at this point is to filter RAR archives at
>>>>>> email or proxy gateways, or disable and uninstall Norton
>>>>>> AntiVirus.
>>>>>> Symantec last issued a
>>>>>> <http://www.macfixit.com/article.php?story=20051021091707669>
>>>>>> security patch in late October. That patch resolved an issue
>>>>>> where a non-privileged user could change the execution path
>>>>>> environment, then execute the DiskMountNotify component and
> >>>>> inherit the changed environment and use it to locate system
>>>>>> commands.
>>>>>> This flaw is the latest in a bevy of
>>>>>> <http://www.macfixit.com/article.php?story=20051006072329919>
>>>>>> other issues caused by the AutoProtect component of Symantec's
>>>>>> Norton AntiVirus under Mac OS X 10.4.x including apparent
>>>>>> corruption of Mac OS X temp files that can result in spiking
>>>>>> processor usage and complete system unresponsiveness.
>>>>>> Until further notice, we recommend that users uninstall AntiVirus
>>>>>> via these
>>>>>> <http://service1.symantec.com/SUPPORT/num.nsf/docid/
>>>>>> 2005051716291611?
>>>>>> Open&src=&docid=2003051315420211&nsf=num.nsf&view=docid&dtype=%
>>>>>> E2%88%8F=&ver=&osv=&osv_lvl=>instructions.
>>>>>> Feedback? <mailto:Late-breakers@macfixit.com>Late-
>>>>>> breakers@macfixit.com .
>>>>>>
>>>>>> Comment on this story at
>>>>>> http://www.macfixit.com/article.php?
>>>>>> story=20051221093111211#comments
>>>>>>
>>>>> ------------------------------
>>>>> Michael Rimar
>>>>> Administrative Assistant
>>>>> UC Botanical Garden
>>>>> 200 Centennial Drive #5045
>>>>> Berkeley, CA 94720-5045
>>>>> 510-642-0849
>>>>> fax 510-642-3012
>>>>> http://botanicalgarden.berkeley.edu
>>>
>>>
>>> --
>>> _______________________________________________________________
>>> Ian Crew
>>> Workstation Support Services
>>> Information Systems and Technology
>>> University of California, Berkeley
>>> icrew@berkeley.edu
>>> Voice: 510-642-7795
>>> Fax: 510-643-5385
>>

------------------------------------------------------------------------
The following was automatically added to this message by the list server:

For information about MAGNet, its meetings and events, and its
mailing list, including information on subscribing and unsubscribing,
see the MAGNet Web site at <http://magnet.berkeley.edu/>.
Received on Fri Dec 23 09:21:42 2005