Symantec forced to fix rootkit-style flaw
U-turn over hidden directory.
By John E Dunn | Techworld | Published: 13:34, 12 January 2006
Symantec has got caught up in the controversy surrounding "rootkit" technology that allows companies to hide programming elements from the computer they are installed on.
The anti-virus company has had to fix a flaw in Norton SystemWorks that could allow an attacker to hide malicious code in a hidden directory used by the product.
The problem itself is in the companys Norton Protected Recycle Bin, a feature that allows Windows users to restore file types not stored by Windows own recycle bin after deletion.
It uses a hidden folder, NProtect, which anti-virus scanners - including the companys own - does not monitor during scheduled or manual scans. Although the directory is scanned during on-access directed scans, the blind spot makes it a potential hideaway for malware, the company has admitted.
The directory was hidden in the first place because Symantec wanted to ensure that users couldnt accidentally delete its contents.
"In light of current techniques used by malicious attackers, Symantec has re-evaluated the value of hiding this directory," an advisory on its website stated. Symantec has released an automatic update via its LiveUpdate, which makes the directory visible during all types of scan.
The practise of hiding directories from Windows is superficially reminiscent of Sonys notorious rootkit-like use of its XCP copy protection, which turned into a PR disaster inNovember. The issue was also brought to Symantecs attention by Mark Russinovich of sysinternals.com, who discovered and publicised what Sony was doing with XCP.
The issue in SystemWorks is not as significant, Symantec will argue with justification, because there was no intention to deceive the user for ulterior purposes. "Symantec is not aware of any attempts by hackers to conceal malicious code in the NProtect folder. This update is provided proactively to eliminate the possibility of that type of activity," the advisory concludes.
However, despite the company having come clean, it is hard to escape the impression of thoughtless and complacent software design in the past. This is an issue that could have caused problems had it not been noticed by third parties before it was noticed by malware writers.