• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

This forum thread needs a solution.
Kudos0

Verification of patching for Security Advisory SYM16-10 - Symantec Decomposer Engine Multiple Parsing Vulnerabilities

This advisory at https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160628_00

indicates that various Symantec products, including NIS, were vulnerable and received the related patch through LiveUpdate.  Although the advisory clearly indicates that the installed version of my Norton product was vulnerable (good disclosure) my LiveUpdate history does not reflect any information relating to receiving the necessary patch to remediate the exposure. 

PLEASE PROVIDE DETAILS FOR VERIFICATION OF PATCH APPLICATION for affected Norton products

Replies

Kudos0

Re: Verification of patching for Security Advisory SYM16-10 - Symantec Decomposer Engine Multiple Parsing Vulnerabilities

The Help ->About Box in the product UI will show the version 22.7.0.x if the update has been successfully applied.

https://www.symantec.com/security_response/securityupdates/detail.jsp?fi...

Kudos0

Re: Verification of patching for Security Advisory SYM16-10 - Symantec Decomposer Engine Multiple Parsing Vulnerabilities

I was aware of that advice in the advisory but it's not relevant to me since I'm on 21.7.0.11.   Thanks anyway.

Kudos0

Re: Verification of patching for Security Advisory SYM16-10 - Symantec Decomposer Engine Multiple Parsing Vulnerabilities

It is very relevant.  Essentially, version 22.7.x IS the patch.  You need to update your product.

Kudos0

Re: Verification of patching for Security Advisory SYM16-10 - Symantec Decomposer Engine Multiple Parsing Vulnerabilities

I have seen no announcement by Symantec that support of 21.7.0.11 has been discontinued.

Kudos0

Re: Verification of patching for Security Advisory SYM16-10 - Symantec Decomposer Engine Multiple Parsing Vulnerabilities

SendOfJive:  It is very relevant.  Essentially, version 22.7.x IS the patch.  You need to update your product.

v22.7 is the patch for v22.x
If v22.7 is patch for v21.x.   There's been holes a long time.

Kudos1 Stats

Re: Verification of patching for Security Advisory SYM16-10 - Symantec Decomposer Engine Multiple Parsing Vulnerabilities

Symantec has verified these issues and addressed them in product updates as identified in the solution portion of the affected products matrix above.

https://www.symantec.com/security_response/securityupdates/detail.jsp?fi...

The matrix shows all Norton products prior to version 22.7.x are vulnerable and that the solution is to update to the patched version through LiveUpdate.

Kudos0

Re: Verification of patching for Security Advisory SYM16-10 - Symantec Decomposer Engine Multiple Parsing Vulnerabilities

all Norton products prior to version 22.7.x are vulnerable

there's been holes a real long time

Kudos0

Re: Verification of patching for Security Advisory SYM16-10 - Symantec Decomposer Engine Multiple Parsing Vulnerabilities

RLWA32:

I have seen no announcement by Symantec that support of 21.7.0.11 has been discontinued.

I asked a similar question about Norton v21.7.0.11 in Gretar's thread Security holes in Symantec and Norton products!.  Could one of the Symantec employees please confirm that v21.x will not be patched for these vulnerabilities?

I downgraded back to v21.7.0.11 because I was not happy with the performance of v22.x on my 32-bit Vista machine.  Vista users are currently reporting problems with SONAR and connections to the backend servers with v22.7.0.76 - see Danny B.'s thread 22.7.0.76 problem on Vista.
------------
32-bit Vista Home Premium SP2 * Firefox v47.0.1 * NIS v21.7.0.11 * MBAM Premium v2.2.1

Kudos1 Stats

Re: Verification of patching for Security Advisory SYM16-10 - Symantec Decomposer Engine Multiple Parsing Vulnerabilities

and not to mention but, I will ...>  Norton 22.7 - Hot Issues and Fixes

Kudos1 Stats

Re: Verification of patching for Security Advisory SYM16-10 - Symantec Decomposer Engine Multiple Parsing Vulnerabilities

Kudos0

Re: Verification of patching for Security Advisory SYM16-10 - Symantec Decomposer Engine Multiple Parsing Vulnerabilities

bjm_:

http://www.ghacks.net/2016/06/29/google-shames-symantec-for-security-issues/

The product update announcement Norton 22.7 Product Update Available Now was edited 27-Jun-2016 to reflect a hotfix for the Norton Toolbar but the What's New section still doesn't mention anything about v22.7 patching multiple critical security vulnerabilities.

And there's still no pinned post at the top of the NIS/NAV/N360 board warning v21.7.0.11 and earlier users that they are currently running unpatched products that should be upgraded to v22.7.0.76 ASAP.  Aside from the SYM16-010 security advisory buried on the Symantec Response site and a somewhat cryptic post by Tony Weiss in RLWA32's thread Support of NIS 21.7.0.11 Discontinued I haven't seen any official response from Symantec warning users about the dangers of continuing to use older versions of Norton.

Symantec should be publicly shamed if this is their idea of responsible customer service.
------------
32-bit Vista Home Premium SP2 * Firefox v47.0.1 * NIS v21.7.0.11 * MBAM Premium v2.2.1

Kudos0

Re: Verification of patching for Security Advisory SYM16-10 - Symantec Decomposer Engine Multiple Parsing Vulnerabilities

lmacri:
bjm_:

http://www.ghacks.net/2016/06/29/google-shames-symantec-for-security-issues/

The product update announcement Norton 22.7 Product Update Available Now was edited 27-Jun-2016 to reflect a hotfix for the Norton Toolbar but the What's New section still doesn't mention anything about v22.7 patching multiple critical security vulnerabilities.

And there's still no pinned post at the top of the NIS/NAV/N360 board warning v21.7.0.11 and earlier users that they are currently running unpatched products that should be upgraded to v22.7.0.76 ASAP.  Aside from the SYM16-010 security advisory buried on the Symantec Response site and a somewhat cryptic post by Tony Weiss in RLWA32's thread Support of NIS 21.7.0.11 Discontinued I haven't seen any official response from Symantec warning users about the dangers of continuing to use older versions of Norton.

Symantec should be publicly shamed if this is their idea of responsible customer service.
------------
32-bit Vista Home Premium SP2 * Firefox v47.0.1 * NIS v21.7.0.11 * MBAM Premium v2.2.1

ITMA.
​Changed-out N360 v21.7.0.11 - N360 v22.7.0.76, using the RnR Tool.
All progressed fine. Routine tested the facilities. OK

Hopefully, safely patched ?
Be safe out there !

"It's That Man Again."
The Silver Surfer. AK.  [ Nil illegitimi carborundum ! ]
p.s " AND NOW FOR, THE BBC NEWS ! "
http://www.bbc.co.uk/news/technology-36672002

Kudos0

Re: Verification of patching for Security Advisory SYM16-10 - Symantec Decomposer Engine Multiple Parsing Vulnerabilities

That advisory does not list 'Norton Security for Mobile' as being affected, but since it uses even more 'open source' code, it might be even more vulnerable. 

Does anyone know if it is or if there is a fix or patch for 'Norton Security for Mobile'?

Kudos0

Re: Verification of patching for Security Advisory SYM16-10 - Symantec Decomposer Engine Multiple Parsing Vulnerabilities

Support is provided for all Norton products that have not reached the support end of life. You may be required to update to the latest version of your product during the support process.
Symantec reserves the right to change its support policies at any time without notice.

https://support.norton.com/sp/en/us/home/current/solutions/v74023230

This thread is closed from further comment. Please visit the forum to start a new thread.