Cupertino (CA) – Stack overflows that result in malicious users elevating their privilege to run destructive code on remote machines, remains perhaps the most commonly occurring destructive event in all of computing – the payload for the worst viruses. As a news item, stack overflows are generally barely a blip on the radar; but when they happen to an enterprise-level anti-virus program itself, they command more attention, with the potential for shame and negative publicity for the security vendor.
The problem facing Symantec this weekend has been how to rebound from a potential black eye, turning a negative situation into perhaps a positive one. Putting a positive spin on this affair has perhaps been as big a PR effort for Symantec as a programming effort. Just last Friday, the company confirmed a stack overflow vulnerability discovered by independent security firm eEye, affecting corporate customers of Symantec Client Security and Symantec AntiVirus. No Norton AV products, produced by a separate division and targeted at consumers, were affected.
The timing of eEye’s discovery perhaps could not have been worse, just days prior to Symantec’s planned unveiling of its full-time consumer-level security service Norton 360, which the company announced today will enter public beta later this summer.
Though multiple news sources are citing Symantec sources as saying the company issued a patch for the stack overflow on Sunday, our own sources and testing indicate the patch went live late yesterday. The process of implementing the patch affords Symantec a little bonus, of a variety perhaps inspired by Microsoft: Customers of Symantec Client Security versions 3.0.0 and 3.0.1 are being asked to upgrade to version 3.1.0, build 394 or higher. Patches are available for Client Security version 3.0.2, which covers Maintenance Release 2 (plus the Point Patch for Maintenance Release 2), and Maintenance Patches 1 and 2. Also, customers of Symantec AntiVirus Corporate Edition versions 10.0.0 and 10.0.1 are being asked to upgrade to version 10.1.0, build 394 or higher. Patches are available for customers of all builds in version 10.0.2.
The bonus is that corporate customers will have even greater incentive now to make those long overdue upgrades. CORRECTION: According to Symantec, the vulnerability discovered by eEye does not effect earlier builds of Client Security dating back to version 1.0, nor AntiVirus Corporate Edition dating back to version 8.0. However, without extensive testing on the part of Symantec, eEye, or someone else, it isn’t clear wither earlier versions might contain similar vulnerabilities, or may perhaps be affected by similar buffer overflows.
Both Client Security and AV Corporate Edition are sold to corporate customers on a per-seat license basis, with an annual maintenance plan that can be continued or upgraded each year. Upgrades from older versions are available for reduced license fees; and it might not require a professional analyst to predict that sales of these upgrade licenses may be in for a boost.
Newspapers this morning are applauding Symantec’s quick, over-the-weekend response to this incident, especially compared to the five-month period that an eEye spokesperson told reporters such responses generally take, on average. But some may not be aware that discoveries of vulnerabilities in a company’s own software are common practice in the software industry – not just among security software vendors – and when patches for those vulnerabilities take months, it’s generally not because two months’ worth of effort is required to implement the fixes, but because companies usually refrain from trumpeting their own software’s vulnerabilities, waiting to implement multiple patches in more conveniently scheduled bundles or “maintenance releases.”
In Symantec’s case, with the spotlight already on the company not just for its Norton 360 unveiling but also its having sued Microsoft two weeks ago for misappropriation of trade secrets, it was evidently more convenient for the company to take swift action now. Norton 360 will feature the capability to automatically upgrade products for consumers, in such a way that they may become protected from vulnerabilities they may never have to know about. With the hurdles Symantec had to overcome over the Memorial Day weekend, it would be no wonder if the company were to prefer a certain lack of curiosity among its customers in the future.