Worm Attacks Symantec Enterprise Antivirus

"Big Yellow," the name eEye Digital Security has given the worm, was first captured Thursday by one of the company's honeypot systems. The worm, which also has a botnet component that turns a victimized machine into a zombie at the beck and call of its controller, exploits a critical vulnerability in Symantec AntiVirus and Symantec Client Security, two of the vendor's business security products. That vulnerability was reported to Symantec by eEye in May; the former fixed the flaw in June.

Symantec's first notice of the vulnerability in AntiVirus and Client Security was posted May 26, and patches were made available June 6. On Nov. 29, Symantec made note of the release of exploit code.

"We've seen exploit code for some time, but [Big Yellow] is the first truly automated threat," says Marc Maiffret, eEye's chief technology officer. The worm, which appears to be of Chinese origin, already has infected a number of systems worldwide.

But while Maiffret took Symantec to task for downplaying the threat as far back as May, he left his most pointed criticism for short-sighted enterprises.

Sponsored post

"Symantec used crappy wording [in its alert]. When a security professional reads 'elevation of privilege,' they think of something that can be only exploited locally. But this is a remotely exploitable bug. Symantec tried to downplay the threat, but they just do themselves, and their customers, a disservice by not correctly labeling it," says Maiffret.

Worse, however, is the blind eye most corporations turn to non-Microsoft vulnerabilities, and the difficulty they have in keeping up with necessary patches.

"I've been preaching this all during 2006, that it's more than a Microsoft world," says Maiffret. In fact, he says he's used the May Symantec vulnerability during security conference presentations as the perfect example of the kind of bug that could hit enterprises.

"The release of malware of this magnitude targeting non-Microsoft software was only a matter of time," says Maiffret. "IT needs to understand that the new vector for attack will not come from Microsoft, but from the applications that are scattered throughout its network."

With IT focused on Microsoft and Patch Tuesday, many companies ignore third-party vulnerabilities. Part of the problem, according to Maiffret, is the lame update and patch notification process that many vendors use. Symantec, for instance, doesn't use an auto-update mechanism for Client Security or AntiVirus, which means customers must first be aware of a vulnerability, and then know how to find and download it.

"As Microsoft gets better [about security] attackers realized that there's so much other software out there," says Maiffret. "But the average vendor is about seven years behind Microsoft" in its vulnerability research and update processes. "They're still partying like it's 1999."

Maiffret's convinced that 2007 will see an explosion in vulnerabilities in and exploits against the likes of Symantec and other non-Windows vendors, including Apple. "From anti-virus to iTunes, these non-Microsoft desktop applications, many of which IT is not even aware of, will become the enterprise's biggest point of vulnerability very, very quickly," he says.

Symantec's current advice is to patch Symantec AntiVirus and Client Security to protect systems against threats such as Big Yellow. A detailed guide on what versions must be patched and how is available on the Symantec support site.