Advertisement (Why?)
A serious flaw in a comment element to Symantec's products has emerged this week; the company reported that the flaw was "high" risk. Symantec, maker of protection software, said the flaw was in the antivirus library used in some of its products. Secunia elaborated on this further, saying that "the vulnerability is caused due to a boundary error in the DEC2EXE parsing engine used by the antivirus scanning functionality when processing UPX compressed files. This can be exploited to cause a heap-based buffer overflow via a specially crafted UPX file".
In an advisory issued earlier this week, Symantec said that "The impact of this vulnerability is exaggerated by the fact that many e-mail and other traffic routing gateways make use of file-scanning utilities that make use of the vulnerable library. This could allow an attacker to potentially exploit high-profile systems used to filter malicious data, and potentially allow further compromise of targeted internal networks".
The flaw affects as many as 30 Symantec products, almost all of the company's software. The company said that users of the most recent versions of its software, like Norton Antivirus 2005, were un-affected. The company added that "The DEC2EXE engine is no longer required to parse compressed files" and that "Symantec had planned the DEC2EXE engine removal from all affected Symantec product versions during upcoming maintenance update." However, it advised all users to ensure they were fully patched (see link below). The company is also distributing patches to users via its automated Live Update feature.
View: Patch Up @ Symantec.com | Affected Products | Secunia Advisory
In an advisory issued earlier this week, Symantec said that "The impact of this vulnerability is exaggerated by the fact that many e-mail and other traffic routing gateways make use of file-scanning utilities that make use of the vulnerable library. This could allow an attacker to potentially exploit high-profile systems used to filter malicious data, and potentially allow further compromise of targeted internal networks".
The flaw affects as many as 30 Symantec products, almost all of the company's software. The company said that users of the most recent versions of its software, like Norton Antivirus 2005, were un-affected. The company added that "The DEC2EXE engine is no longer required to parse compressed files" and that "Symantec had planned the DEC2EXE engine removal from all affected Symantec product versions during upcoming maintenance update." However, it advised all users to ensure they were fully patched (see link below). The company is also distributing patches to users via its automated Live Update feature.
View: Patch Up @ Symantec.com | Affected Products | Secunia Advisory
"So i happened to look over my finances this past weekend and i realized something: i'm broke. which is odd, because i had a bunch of liquid capital in my checking account last time i checked, and now all of a sudden i have nothing.
i realized the root problem was that google's relocation process requires the employee to pay all the expenses up front and then get reimbursed for them later. that means you have to cover an apartment hunting trip, your final relocation, lease termination fees and temporary housing expenses all in advance. not to mention that they don't pay out your signing bonus and relocation money until your first paycheck (which i haven't received yet). finally, add in the fact that i had to put down two months rent as a deposit for my new lease, and i'm flat broke.
on the plus side, this first paycheck is going to be huge... (which unfortunately means i'll probably end up getting taxed huge on it. doh!)
which led me to thinking about the "benefits" package at google. as i thought about it, i realized that most of the "benefits" actually seem to be thinly veiled timesavers to keep you at work. take for example: free lunch and dinner. now this one is an awesome value proposition for google; i'm not exactly sure why other companies don't also recognize the value and join in. consider this: it probably costs google a maximum of $3 per employee for lunch and $5 per employee for dinner. so that's only $8 per day, but if you think about the fact that the employee now probably only takes a half hour lunch break and also stays late working, the company actually realizes far more than an $8 gain in employee output. not to mention that most people think this is a great "benefit" and google gets a ton of positive press on it. in short, this "benefit" is designed benefit the company, not the employee.
then look at all these other fringe "benefits": on-site doctor, on-site dentist, on-site car washes... the list goes on and on with one similarity: every "benefit" is on-site so you never leave work. i'm not going to say this isn't convenient for us employees, but between all these devices designed to make us stay at work, they might as well just have dorms on campus that all employees are required to live in.
next, let's look at the health care benefit provided. arguably, this is the biggest benefit companies pay out for their employees. google definitely has a program that is on par with other companies in the industry; but since when does a company like google settle for being on par? microsoft's health care benefits shame google's relatively meager offering. for those of you who don't know, microsoft pays 100% of employees' premiums for a world-class PPO. everything you can possibly imagine is covered. the program has no co-pays on anything (including prescription drugs); you can self-refer to any doctor in the blue cross blue shield network, which pretty much means any licensed professional; and you can even get up to 24 hour-long massage sessions per year.
lastly, google demands employees that are 90th percentile material, so what's with the 50th percentile compensation? the packages would've been decent when the company was pre-IPO, but let's be honest here... a stock option with a strike price of $188 just doesn't have the same value as the ones of yesteryear. even microsoft adjusted their base salaries to 66th percentile years ago when it was clear that their stock options weren't as much a part of the total compensation package as it used to be. for a post-IPO company like google, it only seems fair that they adjust things accordingly.
all in all, despite these rants, i still chose to come to google. the work environment, projects and risk/reward equation were all more enticing than up in redmond. but just like when you look for apartments in SF, no option is ever perfect. " (from here, mirrored at Bloglines)
my bad
Since Symantec has released LiveUpdate-based updates for every product affected by this vulnerability, a properly deployed network needs to do NOTHING but wait for the automatic updating to occur. At worst, you might need to force some reboots after the updates install. If all clients are members of a Windows domain, that should take one person about a minute to do, without getting out of his chair.
Of course, I know there's a bazillion networks where IT lets users install whatever they want, so that IT doesn't even know what Symantec products might be located where. And another bazillion networks where IT does all the installing, but they do it by sending a gopher to run Setup on each machine, one at a time. Maybe half a bazillion more networks where the IT staff thinks it is highly advanced because it uses NetOp or VNC to remotely (but still manually) run Setup on each machine, one at a time. To all of them: Have Fun!
1. Interacts with every virus that touches the system.
2. Runs with Administrator privileges.
Sounds secure to me!
Sort it out!
I may downgrade to 2003... plus theres no activation....
RJ
I'm not surprised by this news: Norotn is notorious for being bloat-ware.
they rate NOD32 #1 and all that garbage, when ALOT of other sites rate nod in the 83% range, incl independent tests
If you need a free AV i think AVG is actually very good as well as avast..but avast is a bit of a hog
it might not have hogged too many resource but much more than NOD, it was also a lot slower, and while it did detect a few viruses I knew I had, it couldn't do anythign about them(and they where inactive lying around in files unusued since the 90's)
that and the fact it has a horrible management system.
NOD is just nice, and extremely light on the resource in addition to being sickeningly fast.
As for Symantec stuff.. UGH.. they're major resource hogs, and EVERY version way back to 2001 has had major bugs for 3-5 mnths after release causing problems with other software, spcially copy protection services, that will lock up the system in 99% cpu usage or other bad things.
add in that their firewall likes to block things you have set to full allowance on and other crap/bugs and I feel more secure just not using symantec products at all.
Symantec poducts are horror. in an inexpirienced users hands, Symantec is worse than virus.
Edit,
OMG it didn't download it, ah well just updated
http://www.securityfocus.com/archive/1/390170
awesome.
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.