Security Information Vulnerability Research Security Blog

ZDI: Symantec, Kaspersky, CA, MS have unpatched flaws

November 15th, 2006 by Juha-Matti, Filed under: Web, Microsoft, Commentary

The Zero Day Initiative program lists several new vulnerabilities reported within a week. From their Upcoming ZDI Advisories page:

Affected Vendor - Severity - Reported on / Age:

Microsoft - High - 2006.11.08, 7 days ago (2 advisories)
Mozilla - High - 2006.11.08, 7 days ago
Computer Associates - High - 2006.11.08, 7 days ago (3 advisories)
Kaspersky - High - 2006.11.09, 6 days ago
Symantec - High - 2006.11.09, 6 days ago

It appears that many of them are related to AV or firewall software or am I wrong? CA, Kaspersky, Symantec etc.

Unknown Sophos products suffer from unpatched vulnerabilities too, but they are about two months old:

Sophos - High - 2006.09.14, 62 days ago (2 advisories)

And Mozilla and Microsoft products have their own unpatched issues listed as well.

DiggRedditSlashdotTwitThisSphinnStumbleUpondel.icio.usFacebookGoogleTechnoratiE-mail this story to a friend!

-

Is your site safe from XSS Attacks? Use Active Network Scanning to protect your network!

5 Comments:

  1. xm, on November 16th, 2006 at 2:08 am Said:

    > It appears that many of them are related to AV or firewall software or am I wrong? CA, Kaspersky, Symantec etc.
    yeah, you are right, they’re related either to AntiVirus software or to Virus Software (Microsoft)

  2. xm, on November 16th, 2006 at 2:12 am Said:

    I wouldn’t post Zero Days to ZDI. It’s not fair.

    Even tought they promote responsible disclosure, they’re still devoted to vendors, and we (sec researchers) have whatsoever no guarantee we will indeed receive what’s ours before the vendor is notified. And, what if they say that they’re “not interested in your zero day” when they indeed already looked at it.

    I don’t know if you get my point. The thing is, sometimes you don’t even have to show the code to make the PoC public.

  3. required, on November 16th, 2006 at 7:56 am Said:

    So, do you think iDefense is the best place to disclose a vuln?

    How does one company know that a vulnerability that has been reported them hasn’t already been reported to the other (maybe by another researcher)?

    And last: what of the two companies pays better?

  4. XML Exploit, on November 16th, 2006 at 8:25 am Said:

    60days is way… way… over due.

  5. The PC Doctor, on November 16th, 2006 at 1:08 pm Said:

    Unpatched vulnerabilities in security products…

    The other day I wrote a post over on my ZDNet blog called The desktop AV debate .  One of the points I made in that entry was that security software such as firewall and antivirus offer a massive surface area for hackers to launch attacks on….

Leave a Comment

Security RSS Subscribe


Vulnerability Scanner