Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

F-Secure Vulnerability; More on Symantec UPX and Microsoft patch set

Published: 2005-02-10
Last Updated: 2005-02-11 05:16:45 UTC
by William Stearns (Version: 1)
0 comment(s)

F-Secure ARJ Vulnerability



In a late update to today's diary, it was released today that F-Secure AntiVirus (and related products) is vulnerable to similar problems to that of Symantec's in the past 2 days. The prime difference is that F-Secure's problem involves the ARJ archive format instead of UPX. For more details about the vulnerability and affected products please see the following URLs:




As more information is released, we will add information to tomorrow's diary entry. -- The Internet Storm Center Team

Symantec UPX vulnerability, ongoing



The handler's list was largely focused on the
. Symantec's web site seems to
indicate that they actually do have a patch for this:


"Note: Virus definitions version 70209af (extended version
2/9/2004 rev. 32) or greater contain this heuristic."


It's well worth running LiveUpdate if you haven't already.


Older unsupported versions of Symantec Anti-Virus may not have
updates available. For these, upgrading to SAV 9 or above might be
appropriate. You may be able to work around the vulnerability by
disabling compressed file scanning, but this should be a temporary fix.

Microsoft patch set: NVidia, rebooting



Dmitriy noted that the recent
block caused problems with his NVidia drivers; the system would not
go beyond VGA resolution. Simply re-installing the
drivers solved the problem.


John wrote in that around 20% of his systems entered a constant
reboot cycle after applying the Microsoft patch set. Here's what he
said:


"It turns out that the culprit is KB885250. One of the actions
the update attempts is to replace rdbss.sys. If the blue
screen/rebooting problem occurs it will be because the Windows File
Protection system detects the replacement of that file and restores it.
Of course, the update does not work with the restored version of
rdbss.sys. Hence, the blue screen/perma-reboot. The "solution" (that
is, the way to get your Windows 2000 machine functioning again) is to
enter Safe Mode and remove KB885250 via Add/Remove Programs. It will
complain that its removal will cause problems for other updates, but if
you ignore that message and click OK, your system will work again...
After KB885250 has been uninstalled, it can be installed manually
without incident."


-- Handler on Duty,
Keywords:
0 comment(s)
Diary Archives