Wednesday, May 31, 2006

Symantec vulnerabilities update confusion.

All versions of 10.0.x and 10.1.x of Symantec Antivirus Corporate Edition and 3.0.x and 3.1.x of Symantec Client Security seem to be vulnerable. Symantec Antivirus Corporate Edition version 8.x and 9.x seem to be ok. Symantec released 4 patches for each product: Symantec Antivirus Corporate Edition10.1.0.394 -> 10.1.0.396 ; 10.1.0.400 -> 10.1.0.401 ; 10.0.2.2010 -> 10.0.2.2011 ; 10.0.2.2020 -> 10.0.2.2021 and Symantec Client Security 3.1.0.394 -> 3.1.0.396 ; 3.1.0.400 -> 3.1.0.4013.0.2.2010 -> 3.0.2.20113.0.2.2020 -> 3.0.2.2021 . Now, if you are running any other version that is affected, you will have to first upgrade to one of the versions that have the patch out and then install the patch. I hope this will clear the confusion. There seem to be some mitigations to the problem though. As eEye stated, this is a remotely exploitable vulnerability. Symantec Antivirus Corporate Edition, when in managed mode, will have the service Rtvscan.exe listening on TCP port 2967. In case that your host based firewall is configured to block access to this port ( meaning that you can't manage the client from the centralized server, at least not until the client connects to it) you should be ok. This is the kind of problems I really don't like. And I'm possibly not the only one. Do I have another AV product on my machine? What do you think?