• Symantec/Norton dangerously insecure.

    Author
    Topic
    #506057

    Time to update and study the alternatives?

    Because Symantec uses a filter driver to intercept all system I/O, just emailing a file to a victim or sending them a link to an exploit is enough to trigger it – the victim does not need to open the file or interact with it in anyway. Because no interaction is necessary to exploit it, this is a wormable vulnerability with potentially devastating consequences to Norton and Symantec customers.

    “These vulnerabilities are as bad as it gets,” Tavis Ormandy, a researcher with Google’s Project Zero, wrote in a blog post. “They don’t require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible. In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption.”

    High-severity bugs in 25 Symantec/Norton products imperil millions.

    Viewing 27 reply threads
    Author
    Replies
    • #1568963

      Thanks for the heads-up. I hadn’t seen this and some of my family use Norton 360.

    • #1568983

      Perhaps some amplification is needed here to avoid “panic”: If you are using a Symantec product, it will automatically download and install any necessary patches/updates; these will correct the vulnerabilities reported by the OP. To ensure that you have the latest updates, manually run “update” in your product.

      I quote from the Symantec Site: “Norton Family:

      Product update is delivered via LiveUpdateTM. LiveUpdateTM runs automatically at regular intervals or users can run an interactive LiveUpdateTM.

      To perform LiveUpdateTM interactively, users should:

      Access LiveUpdateTM in the product

      Run LiveUpdateTM until all available updates are downloaded and installed

      The Help ->About Box in the product UI will show the version 22.7.0.x if the update has been successfully applied.

      My Rig: AMD Ryzen 9 5900X 12-Core CPU; ASUS Cross Hair VIII Formula Mobo; Win 10 Pro (64 bit)-(UEFI-booted); 32GB RAM; 2TB Corsair Force Series MP600 2TB PCIe Gen 4.0 M.2 NVMe SSD. 1TB SAMSUNG 960 EVO M.2 NVME SSD; MSI GeForce RTX 3090 VENTUS 3X 24G OC; Microsoft 365 Home; Condusiv SSDKeeper Professional; Acronis TI 2021 Premium, VMWare Workstation 15 Player. HP 1TB USB SSD External Backup Drive). Dell G-Sync 144Hz Monitor.

    • #1568986

      I also wasn’t aware of this advisory but I had been made aware of an upgrade to Norton on another forum and a Check for updates gave me the patch to upgrade it to 22.7.0.76 which required a reboot to effect.

      I think a manual check for.. was required for this patch, but opening Norton and clicking on the Help button and then on New Version Check will tell you if you have the latest version.

    • #1569079

      I would have thought that if a user runs Norton’s LiveUpdate(TM), this would address known exploits of the type described in satrow’s post, but it wouldn’t address such an exploit that was brand new. Is this accurate, or is Norton addressing this type of exploit as well as instances of that exploit?

    • #1576175
    • #1576206

      Hey Y’all,

      Here’s a direct linkto killing this bad boy in Windows.

      I just did this, after creating a system restore point JIC!. Easy peasy! HTH :cheers:

      May the Forces of good computing be with you!

      RG

      PowerShell & VBA Rule!
      Computer Specs

    • #1576215

      I don’t use Symantec/Norton but I assume that I should block this CA anyway, correct?

      Don't take yourself so seriously, no one else does πŸ™‚
      All W10 Pro at 22H2,(2 Desktops, 1 Laptop).

      • #1576216

        I don’t use Symantec/Norton but I assume that I should block this CA anyway, correct?

        Yes. Here’s how another website explains it in slightly greater detail:

        Since they now have a trusted CA, and they’re known for creating MiTM attack devices, they can use this certificate to issue fake certificates for any website you visit. To clarify, they can intercept your connection to, say, YourBank.com, open their connection to YourBank using their real certificate, but send your computer their own certificate that claims to be YourBank’s, sign it with their trusted CA, and your computer won’t blink an eye. It will implicitly trust it, seeing as if it checks the signing CA, it’ll find that it is properly signed, and trusted on your machine.

        They’ll be able to see all your traffic and YourBank won’t know the difference as the traffic will be re-encrypted using the real certificate before it’s sent off to them. The same applies to literally any website that uses HTTPS to encrypt their connection. Facebook, Google, iCloud… all fair game.

        This all means you should definitely be worried. But everything will be okay, because you can “untrust” this shady intermediate CA from Blue Coat on both Mac and Windows. At least for now, until they make a new one.

        (My emphasis)

        Hope this helps…

    • #1576260

      I ran the Direct link that RG posted and put the CA in Untrusted Certificates BUT after doing that, I can’t seem to find the section in Group Policy where those certificates are located. Where do I look for the trusted and untrusted certificate folders???

      Don't take yourself so seriously, no one else does πŸ™‚
      All W10 Pro at 22H2,(2 Desktops, 1 Laptop).

      • #1576262

        I can’t seem to find the section in Group Policy where those certificates are located. Where do I look for the trusted and untrusted certificate folders???

        It’s not the Group Policy editor (gpedit.msc) you want. Instead, you need the Microsoft Management Console (mmc.exe) and add the Certificates snap-in:

          [*]Click Start.
          [*]Type mmc in the Search programs and files text entry box.
          [*]When mmc.exe appears in the search results, right-click and choose Run as administrator.
          [*]When the console window appears, select File > Add/Remove Snap-in….
          [*]Select the Certificates snap-in in the left pane then click on the Add > button in the centre. (or center πŸ™‚ )
          [*]In the dialog which appears, choose the Computer account option then click on the Next button.
          [*]In the next dialog, leave the setting at the default Local computer option and click on the Finish button.
          [*]Back at the Add or Remove Snap-ins dialog, click on the OK button to dismiss the dialog.
          [*]In the left-hand pane you can now expand the Certificates tree to show the Untrusted Certificates > Certificates branch.

        Hope this helps…

    • #1576263

      Thanks for the directions Rick. When I look in the untrusted certificates, I don’t see the Blue Coat certificate even though I checked after importing it to the untrusted folder and it said it was there.
      45453-untrusted-certs

      Don't take yourself so seriously, no one else does πŸ™‚
      All W10 Pro at 22H2,(2 Desktops, 1 Laptop).

      • #1576279

        When I look in the untrusted certificates, I don’t see the Blue Coat certificate even though I checked after importing it to the untrusted folder and it said it was there.

        Sorry… I should have asked earlier.

        In Step 3 of the Untrusting the Blue Coat Intermediate CA from Windows instructions, did you install the certificate to Current User or Local Machine (i.e. system-wide)? My instructions assumed Local Machine.

        If you installed to Current User then you’re looking at the wrong tree in the Certificates snap-in. It’s easy to fix. In File > Add/Remove Snap-in… just add the Certificates snap-in again but this time choose the My user account option.

        (IMO it’s always best to install to Local Machine… just in case you create a new account and forget to install the certificate to Untrusted for the new account.)

        Hope this helps…

        • #1576282

          In Step 3 of the Untrusting the Blue Coat Intermediate CA from Windows instructions, did you install the certificate to Current User or Local Machine (i.e. system-wide)? My instructions assumed Local Machine.

          I followed the instructions to a “T” and selected Local Machine and afterwards I checked by running the cert again which said that it was untrusted.

          Don't take yourself so seriously, no one else does πŸ™‚
          All W10 Pro at 22H2,(2 Desktops, 1 Laptop).

          • #1576283

            I followed the instructions to a “T” and selected Local Machine and afterwards I checked by running the cert again which said that it was untrusted.

            Strange… I just checked my PC and found it in Current User > Untrusted, not Local Machine. I assume that it depends on the type of certificate.

            45455-certificate
            Click to enlarge

            The process was also different to the Untrusting the Blue Coat Intermediate CA from Windows instructions inasmuch that I didn’t see a choice of Current User or Local Machine in the Certificate Import Wizard.

            Hope this helps…

    • #1576285

      hmmm,

      It’s in LM on my PC but is the only one there.
      45456-untrusted

    • #1576286

      Rick, Browni,

      Mine shows the same as Browni’s:
      45457-Certificates

      Rick, your screen is scrolled so Personal is on top, perhaps if you scrolled up you would see what we see. Or maybe you missed a step in the instructions.

      HTH :cheers:

      May the Forces of good computing be with you!

      RG

      PowerShell & VBA Rule!
      Computer Specs

      • #1576324

        Rick, your screen is scrolled so Personal is on top, perhaps if you scrolled up you would see what we see. Or maybe you missed a step in the instructions.

        Looks like it’s the difference between Windows 7 and Windows 10. I reverted my (main) PC back from Vista II™ ( πŸ™‚ ) to Win 7. In Win 7 the Certificate Import Wizard doesn’t show an option to choose between Current User and Local Machine. Instead I see this:

        45458-certificate2

        Even though I followed the instructions to install to Untrusted Certificates, without that initial choice the certificate is installed to Current User > Untrusted Certificates by default.

        I deleted the certificate then, within MMC, manually imported into the Untrusted Certificate store of Local Machine. All sorted now.

        Hope this helps…

    • #1576287

      Strange… I just checked my PC and found it in Current User > Untrusted, not Local Machine. I assume that it depends on the type of certificate.

      Yup, that’s where it is on mine also.

      The process was also different to the Untrusting the Blue Coat Intermediate CA from Windows instructions inasmuch that I didn’t see a choice of Current User or Local Machine in the Certificate Import Wizard.

      When I ran it, I had a choice of current user and Local Machine and picked Local Machine ( I double checked it to make sure ), so the obvious is, that it put the revocation in current user only, no matter what I picked.

      Don't take yourself so seriously, no one else does πŸ™‚
      All W10 Pro at 22H2,(2 Desktops, 1 Laptop).

    • #1576312

      RG,
      Your screen definitely looks different than mine and Rick’s, especially the Console heading.
      Yours say’s “MyManagementConsole”, mine, Rick’s and Browni’s says “Console1”, why the different heading?

      Don't take yourself so seriously, no one else does πŸ™‚
      All W10 Pro at 22H2,(2 Desktops, 1 Laptop).

    • #1576325

      In Win 7 the Certificate Import Wizard doesn’t show an option to choose between Current User and Local Machine. Instead I see this:

      I installed it on W7 and it definitely showed the option of Current User and Local Machine and even though I chose Local Machine it installed to Current User. Something is really screwy with this process.
      45459-Loc-Mach

      Don't take yourself so seriously, no one else does πŸ™‚
      All W10 Pro at 22H2,(2 Desktops, 1 Laptop).

      • #1576333

        I installed it on W7 and it definitely showed the option of Current User and Local Machine and even though I chose Local Machine it installed to Current User. Something is really screwy with this process.

        I just tried it on a W7 Pro x32 VM and, once again, the Certificate Import Wizard didn’t show the option of Current User and Local Machine so I’m a bit confused by what’s going on here.

        Are you using W7 Home or Pro?

        • #1576334

          I just tried it on a W7 Pro x32 VM and, once again, the Certificate Import Wizard didn’t show the option of Current User and Local Machine so I’m a bit confused by what’s going on here.

          Are you using W7 Home or Pro?

          I get the same as you Rick (Win 7 Home premium x64 VM)

    • #1576335

      Rick,

      Ok, it seems that there is an extra step in Win 7 (or just the same step in a different location).

      When selecting the Store you have to check the box to Show Physical Stores to show all stores.
      45460-w7certstore

      Once that is done you can select the Local Computer and proceed.

      Here’s the confirmation using the MMC with the Certificates Snapin.
      45461-mmccerts

      HTH :cheers:

      May the Forces of good computing be with you!

      RG

      PowerShell & VBA Rule!
      Computer Specs

      • #1576342

        Ok, it seems that there is an extra step in Win 7 (or just the same step in a different location).

        I am using W7 Pro.

        In my (albeit) limited experience, it just seems easier in Win 7 to launch MMC, add the Certificates snap-in then import the certificate to Local Machine?

        I can provide step-by-step instructions (with screenshots), if required.

        Hope this helps…

      • #1576364

        Ok, it seems that there is an extra step in Win 7 (or just the same step in a different location).

        When selecting the Store you have to check the box to Show Physical Stores to show all stores.
        45460-w7certstore

        Once that is done you can select the Local Computer and proceed.

        Sorry RG but I can’t duplicate what you see. On both my main PC (W7 Pro x64, logged on with account in Administrators group) and a W7 Pro x32 VM (again, logged on with account in Administrators group) I only see the following:

        45463-certificate3
        Click to enlarge

        I don’t understand why I can’t see either Local Machine or Group Policy within the Physical stores.

        I thought that perhaps it was a difference between Pro and Home so fired up a W7 Home Premium x64 VM… but it showed exactly the same, i.e. no radio buttons on the first page of the Certificate Import Wizard nor any ability to choose Local Machine from within Show physical stores. Now I’m beginning to think that the differing behaviour is down to a Windows update that amended the look and feel of the Certificate Import Wizard?

        • #1576368

          Here’s one, which can be followed either by regular users or administrators. It’s several steps, but it’s a logical progression, and will work for everyone.

          The instructions in the Untrusting the Blue Coat Intermediate CA from Windows article don’t apparently work for everybody. They describe the process for Windows 10 users but some Windows 7 users have found differences that lead to the certificate ending up in the Untrusted Certificates store for Current User only.

          Here’s the way I used to install the certificate in Untrusted Certificates for Local Machine, i.e. system-wide.

            [*]Download and save the Blue Coat Intermediate certificate.
            [*]Click on Start and type mmc in the Search programs and files text entry box (don’t press RETURN/ENTER).
            [*]When mmc.exe appears in the search results, right-click on mmc.exe and choose Run as administrator.

            45464-mmc01
            Click to enlarge

            [*]When the User Account Control dialog appears, click on the Yes button.
            [*]When the MMC (Microsoft Management Console) window appears, click on the File menu and select Add/Remove Snap-in….

            45465-mmc02
            Click to enlarge

            [*]Select the Certificates snap-in in the left pane then click on the Add > button in the centre. (or center πŸ™‚ )
            [*]In the dialog which appears, choose the Computer account option then click on the Next button.

            45466-mmc03
            Click to enlarge

            [*]In the next dialog, leave the setting at the default Local computer option and click on the Finish button.

            45467-mmc04
            Click to enlarge

            [*]Back at the Add or Remove Snap-ins dialog, click on the OK button to dismiss the dialog.
            [*]In the left-hand pane, expand the Certificates tree to show the Untrusted Certificates > Certificates branch.
            [*]Right-click on Certificates and choose All Tasks > Import….

            45468-mmc05
            Click to enlarge

            [*]When the Welcome to the Certificate Import Wizard dialog appears, click on the Next> button.
            [*]When the File to Import dialog appears, use the Browse… button to navigate to the certificate you saved in step 1, select the certificate then click on the Open button.
            [*]Once selected, click on the Next button in the File to Import dialog.
            [*]The Wizard should show that it’s going to store the certificate in the Untrusted Certificates store that you previously selected so just click on the Next> button.

            45469-mmc06
            Click to enlarge

            [*]In the Completing the Certificate Import Wizard dialog, click on the Finish button.
            [*]The Wizard should show The import was successful. Click on the OK button to dismiss the dialog.

            45470-mmc07
            Click to enlarge

            [*]You should now be able to see the certificate in the Local Computer > Untrusted Certificates > Certificates store.

            45471-mmc08
            Click to enlarge

          Hope this helps…

    • #1576336

      Are you using W7 Home or Pro?

      Rick, I am using W7 Pro
      RG, The original link for instructions that you posted didn’t mention checking the physical stores box and it shows the box unchecked, so maybe the author forgot the step. So I guess I need to rt. click and delete the untrusted cert. from Current User and start from the beginning so I can check the box for store?

      Update:
      I deleted the cert in current user and ran the whole thing again with the physical stores box checked and it made no difference. It once again installed only to current user and not local machine. Not sure how you guys got it to install to local machine!

      Don't take yourself so seriously, no one else does πŸ™‚
      All W10 Pro at 22H2,(2 Desktops, 1 Laptop).

    • #1576347

      I can provide step-by-step instructions (with screenshots), if required

      Rick, That would be great if you have the time πŸ˜€
      BTW, I agree with your assessment of Gene Wilder. I guess he is with Gilda now.

      Don't take yourself so seriously, no one else does πŸ™‚
      All W10 Pro at 22H2,(2 Desktops, 1 Laptop).

      • #1576365

        Rick, That would be great if you have the time πŸ˜€
        BTW, I agree with your assessment of Gene Wilder. I guess he is with Gilda now.

        OK… working on it… πŸ™‚

        (I removed my earlier comment about Gene Wilder passing, mainly because I thought the thread had drifted enough. So sad. He was one of my heroes during my teenage years. I can’t count how many times I watched Blazing Saddles. πŸ™ )

        And now I’ve drifted off-topic again… sorry, folks.

    • #1576350

      Lumpy,

      The first time I did it it was on Win 10 Pro and it didn’t require the checkbox as it had a radio button (second graphic) for the selection. That menu with the radio buttons is not available in Win 7 so you have to use the check box and navigate the folders.

      FYI: The revised graphics/instructions were done on Win 7 HP 64 Bit.

      HTH :cheers:

      May the Forces of good computing be with you!

      RG

      PowerShell & VBA Rule!
      Computer Specs

      • #1576351

        Lumpy,

        The first time I did it it was on Win 10 Pro and it didn’t require the checkbox as it had a radio button (second graphic) for the selection. That menu with the radio buttons is not available in Win 7 so you have to use the check box and navigate the folders.

        FYI: The revised graphics/instructions were done on Win 7 HP 64 Bit.

        HTH :cheers:

        RG, Actually my W7 Pro does have the radio buttons for both local machine and current user and I chose local machine. It still went to the current user>untrusted certificates.

        Don't take yourself so seriously, no one else does πŸ™‚
        All W10 Pro at 22H2,(2 Desktops, 1 Laptop).

    • #1576385

      Thanks Rick, I shall give it a try afterwhile. I still haven’t attempted the certificate on my W10 machine but will try that also sometime today.

      Don't take yourself so seriously, no one else does πŸ™‚
      All W10 Pro at 22H2,(2 Desktops, 1 Laptop).

      • #1576389

        Thanks Rick, I shall give it a try afterwhile. I still haven’t attempted the certificate on my W10 machine but will try that also sometime today.

        No worries. I documented it at your request whilst trying to understand why you and I had different experiences to RetiredGeek. I’m happy that I know what to do to untrust this certificate for ‘all users’ (i.e. Local Machine) and am not going to spend any further time about why our experiences were different. C’est la vie.

        Hope this helps…

    • #1576413

      Many thanks Rick, worked like a charm on my W7, now on to W10 in awhile to see how the certificate adventure goes there.

      45472-Untrusted-certs

      Don't take yourself so seriously, no one else does πŸ™‚
      All W10 Pro at 22H2,(2 Desktops, 1 Laptop).

    • #1576415

      I added the certificate to my W8.1 x64 Pro partition and it behaved like W10 in that it gave a choice of current user or local machine on the 1st screen.

    • #1576450

      W10 put it in Local Account>Untrusted certificates without a hitch, so there’s something about W7 that forces a different route to get it to the Local Machine ( thanks to Rick’s instructions on getting it there ).
      Good to see that you got a “Sticky” posted for the W7 process.

      Don't take yourself so seriously, no one else does πŸ™‚
      All W10 Pro at 22H2,(2 Desktops, 1 Laptop).

    • #1576454

      I’ve never had a ‘Sticky’ before. Should I consult my doctor?

      ROFL

    • #1576455

      Should I consult my doctor?

      Depends on where your “Sticky” is :cheers:

      Don't take yourself so seriously, no one else does πŸ™‚
      All W10 Pro at 22H2,(2 Desktops, 1 Laptop).

    • #1576468

      ROFL

      (I’m going to stop here ‘cos the thread had gone seriously off-topic… Mea culpa…)

    • #1577056

      Time to update and study the alternatives?
      High-severity bugs in 25 Symantec/Norton products imperil millions.

      Hi there, Satrow! Wondering if this applies to all Norton/Symantec products…my friend’s company uses Symantec Endpoint Protection SMB Edition.

    • #1577103

      It certainly applies to ~25 of their products so I’d say yes – read the rest of the topic, see what the others have been saying, too.

    • #1577365

      I read this stuff all the time. Sometimes it is someone trying to promote another brand-name, but I have no way of knowing if this is true. We are told to only accept advice from trusted sources, but I’m not sure what those are anymore.

      There is a difference between malware and hijacking and the traditional barriers we put up to protect ourselves. I emailed a friend about a medical condition and then 2 weeks later I got an email from a 3rd source advertising a home remedy for the medical condition I was talking about. In other words, our stuff is trolled and there is nothing we can really do about it because we don’t know which applications are doing this.

      We always have to remember that “free” is never free. These service providers have to make that money some way because their employees have to be paid, the hardware has to be kept updated, and all that cost money and they have to make their money some way.

      However, in the old days when we could identify the virus from a good journalistic source, and then do something about it have pretty much passed. I read about a recommended malware protection software only to find out that it actually embeds malware into your PC. How are the users supposed to know that?

      • #1578190

        There is a difference between malware and hijacking and the traditional barriers we put up to protect ourselves. I emailed a friend about a medical condition and then 2 weeks later I got an email from a 3rd source advertising a home remedy for the medical condition I was talking about. In other words, our stuff is trolled and there is nothing we can really do about it because we don’t know which applications are doing this.

        ?

        G-mail maybe? :cheers:

        🍻

        Just because you don't know where you are going doesn't mean any road will get you there.
    Viewing 27 reply threads
    Reply To: Symantec/Norton dangerously insecure.

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: