Flaws Found in Symantec Scan Engine

By Ed Oswald | Published April 25, 2006, 4:30 PM

Symantec earlier this week warned of vulnerabilities within its Scan Engine, a programming interface that allows third parties to incorporate scanning technologies into their applications. The security software maker has rated the vulnerabilities as a "medium risk."

According to the advisory, the first problem lies within an issue in authenticating Web-based logins. "Anyone with knowledge of the underlying communication mechanism can control the Scan Engine server," the notice reads.

Another flaw opens the program up to a "man-in-the-middle attack." According to Symantec, the DSA key used for SSL communications is easily extracted.

Remote users could also download any file in the installation directory of the program through a third flaw. Using regular or specially crafted HTTP requests, the information could be easily accessed.

The company stressed that these vulnerabilities only affect the Scan Engine and none of its desktop applications.

Customers are urged to upgrade to Symantec Scan Engine 5.1 in order to protect themselves from the flaw. At this time, there are no known available exploits. However, proof-of-concept code has already been published, security researchers warn.

Comments

Symantec has sucked since I can remember, it's useless.

Score: 0

|

I have found that Symantec has been going down hill since win98. From not removing viruses, to just becoming corrupted and having to reinstall. I am not sure of the reasons, but it makes it hard to stay behind them.
McAfee is another product I dislike, but have installed it on customer's PC when they ask. It was also a sure bet that I would be returning for problems on their PCs. I have heard that the recent scanning techniques used by McAfee are pretty good and are leading the way, but still would never use their products.

Symantec for Servers, I have heard different stories. Anyone have a suggestion towards a great antivirus for Windows SB Server 2003? I am interested in buying one within 30 days.

Score: 0

|

Look into Avast!. www.avast.com

Score: 0

|

For server? I have used it for the Personal PC and found that it does have issues with updating regularly. In spite of all the settings, it still has errors. I would require something a bit more reliable.

Score: 0

|

Sophos

Score: 0

|

So for the business world, what av do you all recommend?

Score: 0

|

I like Trend Micro's products.

Score: 0

|

Yeah... I tell my friends that Symantec Antivirus is like a paper shield against a bullet (which kind I choose depends on my mood).

Score: 0

|

i am a computer engineer with my own persional business

and one thing I refuce to do is install ANY Macfee or norton products .also any machine I build the warranty is void if any of the above is installed or used

time and time again
the computer has crashed out and what av is the client running.say no more

the've just installed the new version of mccappie and it killed windows

mind you i'm not complaining i've made £££££££
out of it

Score: 0

|

Exactly. Their producs starting showing issues on win98, that to this day have not been corrected, though documented. Heck, their own products conflict with eath other.
Symantec, please continue on your merry way: never fixing past mistakes while simultaneously acquiring good software apps and thrashing them as well.
Can't understand how Google chose to bundle one those products...

Score: 0

|

I have installed Mcafee for a lot of people (par their request) and have never had a problem. I use avast because I am on x64, but if I wasnt my ISP provides Mcafee for free so I would be using that. If I was going to pay for one it would be trend micro...i have heard panda is good but I dont know.

Score: 0

|

oops...not enough problems already, let's add some more, eh?

Score: 0

|

This is such a gaping novice move, that anybody still trusting symantec for serious security needs must indeed need to have their heads checked out.
""It's totally a fake authentication scheme," said Chad Loder, Rapid7's engineering director. "This vulnerability, as far as we can tell, has been built into the application from day one. We were just the first people to come and look into the protocol.""

Score: 0

|

Silverlight 3 goes live on Microsoft's servers

Microsoft's answer to Adobe's Flash is (unofficially) here, with prospects of higher-speed, higher-resolution video and for the first time, 3D.

Three Android phones on the way from T-Mobile in 2009

T-Mobile's myTouch 3G, launched Wednesday, will be followed by two more Android phones later this year, but neither of them will be HTC's Hero.

Best Buy-brand TVs to get TiVo

A new alliance will place the retailer's own brand alongide the manufacturers, and could also lead to future partnerships on services.

LTE still lacks a voice

The 4G Wireless standard that Verizon hopes to show off before this year is out is still at a loss for (spoken) words.

Data sharing among online advertisers: Is sanity in sight?

Lockdown with Angela Gunn In the middle of a 15-page plea not to get regulated, a spark of smart thinking.

T-Mobile's strategy to combat Apple's iPhone with Android

With a trio of Android phones now in the pipeline for 2009, T-Mobile hopes to break the iPhone's emerging stranglehold.

EC's Reding: Government should act as broker for media downloads

If Internet media services don't step up and build an attractive way for users to start paying for downloads, a commissioner says, government may do the job instead.

Sony TVs get Netflix, still no PS3

Though it's coming in behind LG, Samsung, and Microsoft, Sony will begin to offer Netflix streaming, too.

Google Chrome OS: Too little, too early

Carmi Levy: Wide Angle Zoom Don't start the revolution just yet, says Carmi, who isn't so certain Chrome OS will be the "Windows Killer."

GAO pen test brings the hammer down on federal rent-a-cops

But are the computers to blame for the contract-guard fiasco at FPS?

What's Next: Chrome OS will have at least some friends in high places

Also: South Korea takes another round of DDoS abuse, and Neelie Kroes and Steve Ballmer may shake hands before she exits stage left.

Report: Evidence of further creativity with Windows 7 upgrade prices

A ZDNet blogger did some serious digging for clues as to a reported price break on multiple Windows 7 Home Premium licenses, and may have found it.