Site Network: Beskerming.com | Skiifwrald.com | Jongsma & Jongsma

Innovation in Information Security

Coverage of important Information Security and Information Technology news and events from the research team at S?nnet Beskerming.

Username: | Password: Contact us to request an account

McAfee Update Takes Out Windows Systems

McAfee recently encountered one of the worst things an antivirus software vendor could face - an update to their antivirus tools led to Windows XP systems losing critical system files (specifically the svchost.exe file) and leading to system crashing. It might have only been available for a short period of time, but the error-containing DAT (5958) was enough to cause significant problems for McAfee customers.

McAfee have published their own Corporate KnowledgeBase entry which details what happened and what users could do to try and avoid having an unbootable system following application of the 5958 DAT. It all comes down to a false positive for the w32/wecorl.a malware, but it is one of the most significant false positive errors to make. The particular malware that was falsely identified tries to leave a corrupted version of svchost.exe in place of the real one, so triggering on legitimate versions of the file can at least be understood, even if it is something that should have shown up early in testing of the update (by both McAfee and end users / administrators).

Customers across the globe were affected, but one of the strangest outages was with the Australian supermarket giant, Coles. According to media reports over 1,000 supermarket checkouts were forced to close after the corrupted DAT was applied to store systems. It seems odd that a point of sale register needs to run an antivirus, when it should be no more than a dumb terminal with a limited scope and feature set. It can be argued that if it has the sort of access that allows antivirus updates then it needs them, but maybe the register is over-specced for what it needs to be - similar to ongoing arguments about the need for SCADA systems to talk to the wider Internet. With two states affected, the question turns to how much money the major supermarket lost due to the outage. The damage in Australia didn't stop there, with the Commonwealth Bank and Virgin Mobile also affected to a reasonable extent.

The corrupted update didn't affect all systems equally, with Windows XP SP3 the most likely to be affected, though McAfee believed that less than 0.5% of their customer base were affected by this particular problem. That figure is now being disputed, with claims that a far larger percentage of users encountered the problem. Reading comments posted across the Internet regarding this outage, it seems that there are a lot of very disaffected users who have been significantly affected by this incident.

Many security-aware businesses have evolved processes to test and evaluate system updates before deploying them across their networks, perhaps it is something that should be applied to any software update, as well. Such an approach seems prudent, given historic cases of antivirus vendors occasionally screwing up their updates, but when updates come daily and a major corporation is under constant attack and threat of breach, it can be difficult to resist the temptation to roll out the update straight away. After all, it's just a definitions file, it shouldn't take a system down (in theory, at least).

The worse outcome is that this may scare users and administrators away from applying the DAT files as regularly as they are released (and not just from McAfee), fearful of being left without alternate Internet or system access, again, to remediate any problems that occur in the future thanks to a corrupted update.

Turning to alternative antivirus / antimalware vendors isn't going to prevent this incident happening again, with another vendor - most have had similar issues at least once in the past. Moving from one provider to another may require full system reinstallation given the deep system hooks that antivirus applications tend to use, both for added ability to remove malware, and to prevent disablement by malware that targets it.

25 April 2010

Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis

Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.

Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.

Comments will soon be available for registered users.