Symantec Fixes SystemWorks Vulnerability
Symantec Corp. has issued an update to its popular Norton SystemWorks software utility suite to remove a function that security researchers found could be exploited by malware to hide on a user's system.
The discovery was made in part by Mark Russinovich, the same Sysinternals researcher who investigated Sony BMG's anti-piracy software and revealed that the company was using "rootkits" to hide essential files from users and resist removal. Symantec also credits anti-virus maker F-Secure Corp.'s Blacklight team with helping to resolve the issue.
The researchers found that Norton SystemWorks and Norton SystemWorks Premier contain a feature called the "Norton Protected Recycle Bin," or "NProtect," which resides within the Microsoft Windows Recycler directory but which is hidden from Windows. NProtect actually creates a backup copy of anything the user sends to the Windows recycle bin; in the event that the user wants to reclaim any of those files (even if they are emptied from the Windows trash bin), NProtect can fetch them from the Norton bin.
It turns out that files in the Norton bin directory might not be scanned during scheduled or manual virus scans, an oversight that could potentially provide a location for an attacker to hide a malicious file on a computer running the software.
In its advisory on this problem, Symantec explains the oversight this way: "When NProtect was first released, hiding its contents helped ensure that a user would not accidentally delete the files in the directory. In light of current techniques used by malicious attackers, Symantec has re-evaluated the value of hiding this directory. We have released an update that will make the NProtect directory visible inside the Windows Recycler directory. With this update, files within the NProtect directory will be scanned by scheduled and manual scans as well as by on-access scanners like Auto-Protect."
The update and instructions for applying it are available here.
Symantec notes that it is not aware of any threats that try to take advantage of this functionality. Still, this kind of thing underscores why it is never a good idea for companies to build their software so that it can hide from Windows and the end-user.
"In this case, Symantec was using cloaking techniques to protect the end-user from themselves and from deleting files they might want to get back someday," Russinovich said. "But in the process, they've created a potential security risk and making it so that whole portions of the machine are unmanageable by Windows or the user."
Russinovich said he'd have more details about his findings -- which may soon incorporate other commercial software on the market today (including another anti-virus maker) -- in a Wednesday post on his blog.
Posted by: nedu | January 13, 2006 3:29 PM | Report abuse
The comments to this entry are closed.