Symantec issues security warning for its own software

Cupertino (CA) - In a move certain to make even murkier the entire issue of how far a program can go to enable "security" for its customers, Symantec took the unusual - and perhaps embarrassing - step yesterday of issuing a security advisory, for a stealth technique used by a piece of its own software.

As a means of protecting its data contents from inadvertent deletion, even by an operating system process, Norton Protected Recycle Bin hides the "NProtect" directory using the apparently same Windows API system call diversion technique as Sony BMG’s XCP copy protection scheme used to deflect system access to the directory containing its drivers. The NProtect directory is used by Norton Systemworks to store files that are scheduled for deletion, but also safely undeleted and restored to their previous directories.

No evidence exists that Symantec used this stealth-guarded NProtect directory for any other purpose, including to communicate the contents of files over the Internet, to an undisclosed source. So by the original technical definition, the Norton measure does not constitute a "rootkit ;" although in the wake of the Sony BMG affair, its common definition did stretch a bit. Nonetheless, after initially denying it was using rootkits, Symantec acknowledged the following in its security bulletin : "Files in the directory might not be scanned during scheduled or manual virus scans. This could potentially provide a location for an attacker to hide a malicious file on a computer."

Soon after the existence of the Sony BMG stealth technique was first reported, Sophos Labs discovered that virus writers were already exploiting its stealth capabilities to hide malicious payloads in the same directory as XCP’s DRM protection drivers. At that time, Symantec was one of the first companies to distribute the stealth removal tool developed by XCP’s creators, First4Internet. In its security bulletin last November, Symantec strongly urged customers of Sony BMG music to use the tool, even though it also explicitly warned that doing so could damage the operating system. Many users reported exactly that.

However, last night, Symantec characterized the threat posed to users by the Norton technique as "Low ;" and though it is offering a software fix of its own that removes the stealth technique while leaving the NProtect directory intact, it’s not being done with quite the same sense of urgency. "When NProtect was first released, hiding its contents helped ensure that a user would not accidentally delete the files in the directory," reads the bulletin. "In light of current techniques used by malicious attackers, Symantec has re-evaluated the value of hiding this directory."

In a perhaps equally embarrassing move, Symantec credited one of its own competitors, security software company F-Secure, plus Mark Russinovich - the same developer who discovered the Sony BMG stealth package with his rootkit detection software - with having "worked with" Symantec in handling the discovery of the stealth technique. Russinovich’s blog thus far contains no mention of his discovery.

And in a sign that security engineers may perhaps be willing to forgive and forget this time around, many posted the news of Symantec’s warning this morning by characterizing the technique as a "bug" and a "design flaw," as opposed to the threat to humankind that Sony BMG’s permutation comparatively posed.