Symantec Admits Using Rootkits
Symantec Corp has issued an update to its popular Norton SystemWorks software utility suite, to fix a security problem which can potentially be exploited by hackers to hide malware on a user’s system.
The discovery was made in part by Mark Russinovich, the same Sysinternals researcher who investigated the Sony rootkit; and F-Secure, a Finnish security company, which has a rootkit detection product for helping it address the SystemWorks issue.
The security researchers found that Norton SystemWorks and Norton SystemWorks Premier contain a feature called “Norton Protected Recycle Bin,” or “NProtect”, which resides within the Microsoft Windows Recycler directory, but remains hidden from Windows. “NProtect” creates back-up of everything that the user sends to the Windows recycle bin. But it turns out, files in the Norton bin directory may not be scanned during scheduled or manual virus scans, leaving scope for an attacker to hide a malicious file on a computer running the software.
Symantec says in its advisory that when “NProtect” was first released, hiding its contents helped ensure that a user would not accidentally delete his files. However in the light of current techniques used by malicious attackers, the company has re-evaluated the value of hiding this directory, and has released an update that will make “NProtect” visible within the Windows Recycler directory. The update makes it possible for files within “NProtect” to be scanned by scheduled and manual scans, as also by on-access scanners like Auto-Protect.
The updated version is available through the Symantec LiveUpdate service, and installing the software requires a system re-boot.
Russinovich said that in this case Symantec was using cloaking techniques to protect users from themselves and from deleting files, but the company ended up creating a potential security risk.
Security firm - Secunia, has given a “not critical” rating to the problem; and Symantec maintains the risk impact is “low”.
The discovery was made in part by Mark Russinovich, the same Sysinternals researcher who investigated the Sony rootkit; and F-Secure, a Finnish security company, which has a rootkit detection product for helping it address the SystemWorks issue.
The security researchers found that Norton SystemWorks and Norton SystemWorks Premier contain a feature called “Norton Protected Recycle Bin,” or “NProtect”, which resides within the Microsoft Windows Recycler directory, but remains hidden from Windows. “NProtect” creates back-up of everything that the user sends to the Windows recycle bin. But it turns out, files in the Norton bin directory may not be scanned during scheduled or manual virus scans, leaving scope for an attacker to hide a malicious file on a computer running the software.
Symantec says in its advisory that when “NProtect” was first released, hiding its contents helped ensure that a user would not accidentally delete his files. However in the light of current techniques used by malicious attackers, the company has re-evaluated the value of hiding this directory, and has released an update that will make “NProtect” visible within the Windows Recycler directory. The update makes it possible for files within “NProtect” to be scanned by scheduled and manual scans, as also by on-access scanners like Auto-Protect.
The updated version is available through the Symantec LiveUpdate service, and installing the software requires a system re-boot.
Russinovich said that in this case Symantec was using cloaking techniques to protect users from themselves and from deleting files, but the company ended up creating a potential security risk.
Security firm - Secunia, has given a “not critical” rating to the problem; and Symantec maintains the risk impact is “low”.
Posts
No comments:
Post a Comment
Did you like it ? Write your comment.