Home & Office

Symantec admits to LiveUpdate security hole

German hackers have warned that an intruder could redirect the virus update to an illicit server of their choice, creating a major security breach
Written by Wendy McAuliffe, Contributor

A group of German hackers have exposed a new vulnerability in Symantec's LiveUpdate 1.4, which could be used to download and run hostile code from an unauthorised server.

Symantec, which makes antivirus and security software, has confirmed that older versions of its virus definition software will allow the deployment of malware such as trojan application viruses, and the remote penetration of systems running LiveUpdate. The risk of unauthorised intrusion is lessened on systems running the latest version 1.6, but network degradation and outages could still be possible.

The German hacking group Phenoelit who spotted the security hole is adamant that LiveUpdate could be forced to download illicit programmes onto the querying host. "When LiveUpdate 1.4 is started (either by hand or by a scheduled task), it looks for the server 'update.symantec.com'," states the Phenoelit bulletin. "An attacker can use one of several attacks to return false information to the querying host."

According to the Phenoelit alert, when the host running LiveUpdate tries to connect to update.symantec.com via FTP, it is possible for an attacker to redirect the request to a server of their choice. LiveUpdate will then try to download the necessary files, which will be compared with existing versions of Symantec software installed on the host to see if an upgrade is needed. LiveUpdate will then uncompress the files and perform the actions described in their coding, which includes the execution of downloadable attachments.

LiveUpdate 1.6 follows the same update procedure, but includes the safeguard of "cryptographic signatures" of all update files. According to Symantec, this makes it virtually impossible to use the latest version as a penetration tool. Mis-direction attacks can also be controlled by Norton AntiVirus products, which are designed to detect and block malware.

Despite admitting to the vulnerability of its product, Symantec is refusing to accept all of the responsibility. "The DNS attacks... have been widely known to be an Internet infrastructure problem, not a Symantec product problem, for some time and have been utilised in many well-publicised DNS spoofing, redirection, cache poisoning attacks," reads the Symantec response.

The company is also insisting that although LiveUpdate 1.6 could be hit by a denial of service attack, "only a small percentage of a very large user base could potentially be impacted to any degree as the spoofing or redirection would, by its very nature, be limited to a local Internet area/region".

Symantec is encouraging users to upgrade to LiveUpdate 1.6 if they are still relying on the four-year-old 1.4 version.

See the Viruses and Hacking News Section for the latest headlines.

See the Net Crime News Section for the latest on hacking, fraud, viruses and related issues.

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.

Let the editors know what you think in the Mailroom. And read other letters.

Editorial standards