Every month the BugBlog picks its Bug of the Month, representing the most significant bug found in the past month. Sometimes, the bug will be the one which could potentially cause the most damage; sometimes it will be the bug which affects the most users. And sometimes, it will be the bug that is just the most interesting bug. This bug will be selected either from the free Bug of the Day, or from the subscription-only BugBlog Plus.
This month the Bug of the Month goes to Symantec, the company that's supposed to keep hostile code off our computers. But as the BugBlog reported on May 29:
Symantec says their enterprise line of anti-virus software, Symantec Client Security 3.1 and Symantec Antivirus Corporate Edition 10.1, are vulnerable to a stack overflow that may allow both local and remote attackers to run their code on the target computers. Symantec has updated virus signatures to check for attacks that may exploit this. See Symantec's report for news on updates. Symantec credits eEye Digital Security for finding this bug, which does not affect the consumer-level Norton AntiVirus products.Actually, this bug could have been worse — it only affected Symantec's corporate customers, and not their those who use their consumer line of Norton AntiVirus products. The fix was not long in coming, as the 6/1 BugBlog showed
Symantec did not patch every vulnerable build of Symantec Client Security 3.1 and Symantec AntiVirus 10.1 Corporate Edition to the remote attacks first discussed in the 5/29 BugBlog. In some cases, Symantec customers will first need to upgrade to one of the versions that's been patched, and then apply the patch. A detailed table on their site shows each affected build and what you need to do to eliminate the security problem.While the bug was quickly fixed, there's been some grumbling over the fact that some users had to move to another version, and there are reports of some incompatibilities with the upgrade and some projects from Scriptlogic. The Internet Storm Center has a round-up on these issues. While these reports don't help Symantec, they are not the main reason they've won the Bug of the Month — they won for the irony of security software opening up security holes.
Article comments