Page 1 of 3 123 LastLast
Results 1 to 15 of 44
  1. #1
    Super Moderator satrow's Avatar
    Join Date
    Dec 2009
    Location
    Cardiff, UK
    Posts
    4,490
    Thanks
    284
    Thanked 576 Times in 479 Posts

    Symantec/Norton dangerously insecure.

    Time to update and study the alternatives?

    Because Symantec uses a filter driver to intercept all system I/O, just emailing a file to a victim or sending them a link to an exploit is enough to trigger it - the victim does not need to open the file or interact with it in anyway. Because no interaction is necessary to exploit it, this is a wormable vulnerability with potentially devastating consequences to Norton and Symantec customers.
    "These vulnerabilities are as bad as it gets," Tavis Ormandy, a researcher with Google's Project Zero, wrote in a blog post. "They donít require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible. In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption."
    High-severity bugs in 25 Symantec/Norton products imperil millions.

  2. The Following 2 Users Say Thank You to satrow For This Useful Post:

    lumpy95 (2016-08-28),Rick Corbett (2016-06-29)

  3. #2
    Super Moderator Rick Corbett's Avatar
    Join Date
    Dec 2009
    Location
    South Glos., UK
    Posts
    2,143
    Thanks
    101
    Thanked 579 Times in 464 Posts
    Thanks for the heads-up. I hadn't seen this and some of my family use Norton 360.

  4. #3
    5 Star Lounger petesmst's Avatar
    Join Date
    Dec 2009
    Location
    Cape Town, South Africa
    Posts
    790
    Thanks
    38
    Thanked 43 Times in 33 Posts
    Perhaps some amplification is needed here to avoid "panic": If you are using a Symantec product, it will automatically download and install any necessary patches/updates; these will correct the vulnerabilities reported by the OP. To ensure that you have the latest updates, manually run "update" in your product.

    I quote from the Symantec Site: "Norton Family:


    Product update is delivered via LiveUpdateTM. LiveUpdateTM runs automatically at regular intervals or users can run an interactive LiveUpdateTM.

    To perform LiveUpdateTM interactively, users should:

    Access LiveUpdateTM in the product

    Run LiveUpdateTM until all available updates are downloaded and installed


    The Help ->About Box in the product UI will show the version 22.7.0.x if the update has been successfully applied.
    (My Setup: Custom built: 4.00GHz Intel Core i7-6700K CPU; MSI Z170A Gaming Carbon Motherboard (Military Class III); Win 10 Pro (64 bit)-(UEFI-booted); 16GB RAM; 512GB SAMSUNG SD850 PRO SSD; 120GB SAMSUNG 840 SSD; Seagate 2TB Barracuda SATA6G HDD; 2 X GeForceGTX 1070 8GB Graphics Card (SLI); Office 2013 Prof (32-bit); MS Project 2013 (32-bit); Acronis TI 2017 Premium, Norton Internet Security, VMWare Workstation12 Pro). WD My Book 3 1TB USB External Backup Drive). Samsung 24" Curved HD Monitor.

  5. #4
    Super Moderator
    Join Date
    Aug 2012
    Location
    Durham UK
    Posts
    6,621
    Thanks
    147
    Thanked 877 Times in 839 Posts
    I also wasn't aware of this advisory but I had been made aware of an upgrade to Norton on another forum and a Check for updates gave me the patch to upgrade it to 22.7.0.76 which required a reboot to effect.

    I think a manual check for.. was required for this patch, but opening Norton and clicking on the Help button and then on New Version Check will tell you if you have the latest version.

  6. #5
    Star Lounger
    Join Date
    Jul 2013
    Location
    Murphy, NC
    Posts
    66
    Thanks
    0
    Thanked 8 Times in 8 Posts
    I would have thought that if a user runs Norton's LiveUpdate(TM), this would address known exploits of the type described in satrow's post, but it wouldn't address such an exploit that was brand new. Is this accurate, or is Norton addressing this type of exploit as well as instances of that exploit?

  7. #6

  8. The Following 2 Users Say Thank You to Rick Corbett For This Useful Post:

    lumpy95 (2016-08-28),RetiredGeek (2016-08-28)

  9. #7
    Super Moderator RetiredGeek's Avatar
    Join Date
    Mar 2004
    Location
    Manning, South Carolina
    Posts
    9,434
    Thanks
    372
    Thanked 1,457 Times in 1,326 Posts
    Hey Y'all,

    Here's a direct link to killing this bad boy in Windows.

    I just did this, after creating a system restore point JIC!. Easy peasy! HTH
    May the Forces of good computing be with you!

    RG

    PowerShell & VBA Rule!

    My Systems: Desktop Specs
    Laptop Specs

  10. The Following 5 Users Say Thank You to RetiredGeek For This Useful Post:

    access-mdb (2016-08-29),Browni (2016-08-28),Dick-Y (2016-08-29),Lugh (2016-08-29),lumpy95 (2016-08-28)

  11. #8
    Silver Lounger lumpy95's Avatar
    Join Date
    Feb 2013
    Location
    Mojave Desert CA
    Posts
    1,842
    Thanks
    258
    Thanked 175 Times in 148 Posts
    I don't use Symantec/Norton but I assume that I should block this CA anyway, correct?

  12. #9
    Super Moderator Rick Corbett's Avatar
    Join Date
    Dec 2009
    Location
    South Glos., UK
    Posts
    2,143
    Thanks
    101
    Thanked 579 Times in 464 Posts
    Quote Originally Posted by lumpy95
    I don't use Symantec/Norton but I assume that I should block this CA anyway, correct?
    Yes. Here's how another website explains it in slightly greater detail:

    Since they now have a trusted CA, and they're known for creating MiTM attack devices, they can use this certificate to issue fake certificates for any website you visit. To clarify, they can intercept your connection to, say, YourBank.com, open their connection to YourBank using their real certificate, but send your computer their own certificate that claims to be YourBank's, sign it with their trusted CA, and your computer won't blink an eye. It will implicitly trust it, seeing as if it checks the signing CA, it'll find that it is properly signed, and trusted on your machine.

    They'll be able to see all your traffic and YourBank won't know the difference as the traffic will be re-encrypted using the real certificate before it's sent off to them. The same applies to literally any website that uses HTTPS to encrypt their connection. Facebook, Google, iCloud... all fair game.

    This all means you should definitely be worried. But everything will be okay, because you can "untrust" this shady intermediate CA from Blue Coat on both Mac and Windows. At least for now, until they make a new one.
    (My emphasis)

    Hope this helps...

  13. The Following User Says Thank You to Rick Corbett For This Useful Post:

    lumpy95 (2016-08-29)

  14. #10
    Silver Lounger lumpy95's Avatar
    Join Date
    Feb 2013
    Location
    Mojave Desert CA
    Posts
    1,842
    Thanks
    258
    Thanked 175 Times in 148 Posts
    I ran the Direct link that RG posted and put the CA in Untrusted Certificates BUT after doing that, I can't seem to find the section in Group Policy where those certificates are located. Where do I look for the trusted and untrusted certificate folders???

  15. #11
    Super Moderator Rick Corbett's Avatar
    Join Date
    Dec 2009
    Location
    South Glos., UK
    Posts
    2,143
    Thanks
    101
    Thanked 579 Times in 464 Posts
    Quote Originally Posted by lumpy95
    I can't seem to find the section in Group Policy where those certificates are located. Where do I look for the trusted and untrusted certificate folders???
    It's not the Group Policy editor (gpedit.msc) you want. Instead, you need the Microsoft Management Console (mmc.exe) and add the Certificates snap-in:

    1. Click Start.
    2. Type mmc in the Search programs and files text entry box.
    3. When mmc.exe appears in the search results, right-click and choose Run as administrator.
    4. When the console window appears, select File > Add/Remove Snap-in....
    5. Select the Certificates snap-in in the left pane then click on the Add > button in the centre. (or center )
    6. In the dialog which appears, choose the Computer account option then click on the Next button.
    7. In the next dialog, leave the setting at the default Local computer option and click on the Finish button.
    8. Back at the Add or Remove Snap-ins dialog, click on the OK button to dismiss the dialog.
    9. In the left-hand pane you can now expand the Certificates tree to show the Untrusted Certificates > Certificates branch.

    Hope this helps...

  16. The Following User Says Thank You to Rick Corbett For This Useful Post:

    lumpy95 (2016-08-29)

  17. #12
    Silver Lounger lumpy95's Avatar
    Join Date
    Feb 2013
    Location
    Mojave Desert CA
    Posts
    1,842
    Thanks
    258
    Thanked 175 Times in 148 Posts
    Thanks for the directions Rick. When I look in the untrusted certificates, I don't see the Blue Coat certificate even though I checked after importing it to the untrusted folder and it said it was there.
    untrusted certs.JPG

  18. #13
    Super Moderator Rick Corbett's Avatar
    Join Date
    Dec 2009
    Location
    South Glos., UK
    Posts
    2,143
    Thanks
    101
    Thanked 579 Times in 464 Posts
    Quote Originally Posted by lumpy95
    When I look in the untrusted certificates, I don't see the Blue Coat certificate even though I checked after importing it to the untrusted folder and it said it was there.
    Sorry... I should have asked earlier.

    In Step 3 of the Untrusting the Blue Coat Intermediate CA from Windows instructions, did you install the certificate to Current User or Local Machine (i.e. system-wide)? My instructions assumed Local Machine.

    If you installed to Current User then you're looking at the wrong tree in the Certificates snap-in. It's easy to fix. In File > Add/Remove Snap-in... just add the Certificates snap-in again but this time choose the My user account option.

    (IMO it's always best to install to Local Machine... just in case you create a new account and forget to install the certificate to Untrusted for the new account.)

    Hope this helps...
    Last edited by Rick Corbett; 2016-08-29 at 13:34.

  19. #14
    Silver Lounger lumpy95's Avatar
    Join Date
    Feb 2013
    Location
    Mojave Desert CA
    Posts
    1,842
    Thanks
    258
    Thanked 175 Times in 148 Posts
    Quote Originally Posted by Rick Corbett View Post
    In Step 3 of the Untrusting the Blue Coat Intermediate CA from Windows instructions, did you install the certificate to Current User or Local Machine (i.e. system-wide)? My instructions assumed Local Machine.
    I followed the instructions to a "T" and selected Local Machine and afterwards I checked by running the cert again which said that it was untrusted.

  20. #15
    Super Moderator Rick Corbett's Avatar
    Join Date
    Dec 2009
    Location
    South Glos., UK
    Posts
    2,143
    Thanks
    101
    Thanked 579 Times in 464 Posts
    Quote Originally Posted by lumpy95
    I followed the instructions to a "T" and selected Local Machine and afterwards I checked by running the cert again which said that it was untrusted.
    Strange... I just checked my PC and found it in Current User > Untrusted, not Local Machine. I assume that it depends on the type of certificate.

    certificate.png
    Click to enlarge

    The process was also different to the Untrusting the Blue Coat Intermediate CA from Windows instructions inasmuch that I didn't see a choice of Current User or Local Machine in the Certificate Import Wizard.

    Hope this helps...
    Last edited by Rick Corbett; 2016-08-29 at 13:55.

Page 1 of 3 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •