Symantec corrects 'misleading' Norton AV statements

On 19 October, ZDNet Australia reported that a vulnerability in Norton AntiVirus 2005 could allow a specially crafted script to evade detection by NAV's script blocker and shut down the application's auto-protect feature, which means an apparently protected computer could become infected with a virus.

Symantec initially denied that a problem existed and then said it was not a threat because the flaw would only affect users logged in with administrator rights.

The Norton AntiVirus application is designed for the consumer market where the majority of users are logged in as administrators, and so would be vulnerable.

Mark Kennedy, architect, product delivery and response at Symantec, told ZDNet Australia on Friday that the previous statement was incorrect.

-Probably the totality of home users are administrators on their own machines. Wherever that [statement] came from, the person obviously did not understand the way consumer machines work," said Kennedy.

Dan Milisic, the security researcher credited with first discovering the vulnerability, said Symantec's initial response was misleading and unacceptable.

-Shouldn't a high-level corporate contact understand the way consumer machines work, or at least talk to someone who does before spewing misinformation to the press?" asked Milisic.

Kennedy acknowledged that Milisic's script could slip through Norton AntiVirus's script blocker and said Symantec was investigating how to improve the product's internal defence mechanisms.

However, he said that if a virus writer was to create a worm using a technique similar to Milisic's, Symantec would issue a detection signature "within hours" to protect existing customers.

"If such a worm were to go out we would write a signature for it and anybody that had not been hit by it -- anyone that had updated their signatures before the worm infected their machine -- would be fully protected from it," said Kennedy.

Milisic said, "Someone has got to write the next loveletter.vbs and it has to propagate before a signature is written. Script Blocking was designed to prevent malicious VBS code from running without the need for signatures, so this point is totally irrelevant to the scope of the Script Blocking failure."

We will fix it, Damn it!
Symantec's Kennedy told ZDNet Australia that the company is responding to feedback from its customers and hoping to make the next version of its flagship consumer product smaller and faster.

-The footprint of the product and the performance of the product is something that the consumer team is actively working on. It is a high priority for the next release, which will be in the mid-calendar year 2005 -- and will be called Norton AntiVirus 2006," said Kennedy.

Vincent Weafer, senior director of Symantec's Security Response team, said that the company takes customer feedback very seriously and its product development goals are designed to ensure that new applications combine a high degree of security and usability.

-We want to make sure that we are protecting our customers. Anywhere we find we are not we will do our damndest to fix and address it," said Weafer, who said the company's aim is to -make sure that any technology we roll out is not too intrusive and not too big and yet at the same time keeping up with the latest and greatest threats."