Symantec light on AV compromise specifics

Some odd answers forthcoming...

Symantec claims customers using its endpoint protection and antivirus products are not at risk following revelations the company's AV source code was stolen in 2006.

But when it comes to providing specifics, Symantec is guarded.

Following yesterday's blog post, Symantec has claimed recycled source code from its corporate antivirus product of 2006 makes up only 5% of current endpoint protection software.

But it won't say which 5%.

Furthermore, 5% of Symantec's latest bells-and-whistles endpoint security products is a lot of code; basic corporate AV solutions from 2006 were pretty small by comparison to today's bloatware. So it could well be that a large proportion of the stolen code is actually in the current product. THAT's the percentage I'd like to see.

Here's the company's response to yesterday's questions, and below that my lingering unease about the company's answers.

    We have definitely analyzed the 5% of the code and have determined it to be benign enough in nature not to present a security threat to current Symantec and Norton users if an attempt was made to exploit it for the purposes of a cyber attack. Furthermore, as mentioned in the previous e-mails, the combination of features in the current Symantec and Norton software would protect customers against an attack. For competitive purposes and protection of our intellectual property, we are not going to get into the specifics of the exact functionality of the 5% of that code.

    Given the visibility of this incident, i.e. there is consistent monitoring of our communications by hackers and the Anonymous group, we're hesitant to provide specifics on the size of the code for NAV CE and SEP 10.2 (hence someone may be able to tell what they have or don’t have based on the size alone). However, you are correct that the total amount of code for Symantec Endpoint Protection is demonstrably larger than NAV CE, again, if for no other reasons than to accommodate all of the new features and functionalities layered upon over the previous six years.

More technical readers would know that the claims that extra features in the company's newer endpoint protection software would make exploitability impossible are quite simply bunk.

Sure, they might provide some defence-in-depth protection against malware, but I fail to see how a new, whiz-bang file reputation ranking engine will prevent targeted exploitation of vulnerable AV scanning engine code, for example.

Further, Symantec has stated it analysed the relevant code and determined it's not vulnerable, but won't say which chunks of that code have found their way into current products. Why? Surely if the code is good it can say which component is still being used in current source trees.

Also, calling Anonymous a "group" is a bit silly, especially in this instance as it was a bunch of people calling themselves the Lords of Dharmaraja who claimed credit for the attack. Anons have just been chuckling along with them. For a company like Symantec to conflate this compromise with the activities of a broader meme/movement like Anonymous may be convenient for PR purposes, but it's not really accurate.

So, brass tacks time: It's unlikely the Symantec AV source code that's doing its rounds over the Internet is going to really help attackers out there in a meaningful way. That said, I get the impression that Twitter user @GMKnowBoulder was right yesterday when they said Symantec seems stuck in the "quantum void between the engineering force and the marketing dark side".

So who out there can be bothered bindiffing NAV CE circa 2006 against current endpoint protection products?

Find Patrick Gray on Twitter.