In a recent story at sister site SearchSecurity.com, Edmund X. DeJesus provided warnings about vulnerabilities in numerous antivirus products, including some for Linux and Windows platforms. Because this situation is potentially grave, it's worth noting that antivirus software is only as good as it is current. Everybody is aware of the need to keep virus signature files up to date. This news simply underscores the importance of keeping antivirus (AV) software itself up to date as well.
Not that you should worry needlessly if you subscribe to antivirus update services; if you're current on your subscription and you auto-update your AV software, you're probably exempt from such concerns. Nobody is as keen to avoid threats and vulnerabilities as security software/service providers. Most AV vendors see themselves as both software and service providers (software to process AV screening, services to provide regular signature updates, virus removal tools and so forth).
Of course, if you don't take advantage of auto-update in your AV package, you might want to reconsider that position or start scheduling regular checks on updates at your vendor's Web site. Be especially zealous in installing critical security updates (just like for Windows). Scheduling regular checks probably makes most sense for larger networks, where administrators typically stage updates to a local server, and script update propagation to individual machines behind the corporate or organizational firewall.
It's interesting to observe that DeJesus reports on vulnerabilities in a number of popular AV products:
- Kaspersky AntiVirus for Linux 126.96.36.199, Trend Micro InterScan VirusWall 3.8 Build 1130, and McAfee Virus Scan for Linux 4.16.0 are subject to a denial of service condition when scanning so-called bzip2 bombs (see advisory). Basically, these are compressed files that are tiny when compressed and enormous when expanded. Because some AV products routinely expand compressed files prior to scanning, such enormous files can swamp scanners when uncompressed, thereby leading to denial of service on machines where they run.
- When automatic LiveUpdate (applies to Symantec products on Windows NT, 2000, XP, and Server 2003) runs, its executables run at system privilege level. A clever hack on the Help utility that the related pop-up offers allows users to run commands at that elevated level, and can lead to system compromise (see advisory).
The bottom line, of course, is that all key system elements -- including not just the operating system and applications, but also security and AV software -- needs to be patched or updated to fix or workaround known threats and vulnerabilities. When your watchman needs watching, it's time to take extra care.
About the author
Thomas Alexander Lancaster IV is a consultant and author with over 10 years experience in the networking industry, focused on Internet infrastructure.
This was first published in January 2004