Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Community Blog

Zero-Day Hit Close to Home

Patch Available for Symantec Endpoint Protection 11.x and 12.1
Created: 07 Aug 2014 • Updated: 07 Aug 2014 • 4 comments
Kari Ann's picture
+1 1 Vote
Login to vote

The prevalence of zero-day vulnerabilities hit close to home this week when a North American penetration tester published a report claiming they had found a vulnerability in Symantec Endpoint Protection. The reality of Symantec’s ISTR vo. 19 seeing a 64%* increase in zero-day discoveries last year came alive as the Endpoint Protection product team reacted quickly to confirm and respond to the risk with a patch (available on FileConnect).

To date, no known compromise has been reported due to this medium severity vulnerability. The issue affects the Application and Device Control component of Symantec Endpoint Protection. If exploited, it could result in a client crash, denial of service or, if successful, escalate to admin privileges and gain control of the system.

It’s important to note that the vulnerability is not remotely accessible. Meaning a hacker would require direct access to the machine to carry out an exploit. The vulnerability affects all versions of Endpoint Protection 11.x and 12.1; however, Symantec Endpoint Protection 12.1 Small Business Edition is not affected. If patching is not an option, there are other mitigating measures outlined in the related KB Article.

For customers using version 12.1 of Symantec Endpoint Protection Manager, only the client requires the update to 12.1 RU4 MP1b to patch the issue.  SEP 12.1 customers are also better protected against vulnerabilities like these thanks to the advanced protection capabilities of Insight and SONAR.

More information on the vulnerability and mitigating actions can be found at the KB Article or in the official advisory.

Comments 4 CommentsJump to latest comment

Manipillai's picture

Why we are still disabling sysplant what is the use of sysplant. Can you help me with that

>MK

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

0
Login to vote
David Poston's picture

If you upgrade to the patch, there isnt a need to disable.

 

David

0
Login to vote
Kari Ann's picture

Disabling sysplant is one mitigation option for this particular exploit.  The available update information along with alternative mitigations is outlined in our KB article -http://www.symantec.com/docs/TECH223338
 
Sysplant is the driver associated with Symantec Endpoint Protection’s Application and Device Control component.  For information on using Application and Device Control, please review our Application and Device Control best practices KB article-http://www.symantec.com/docs/TECH145973
 

0
Login to vote
Khi02's picture

@ Manipillai - SysPlant.sys is the driver responsible to trigger the sysfer.dll and execute a process that has the capability to either block or allow the external devices.

The biggest question here is why dont symantec release this as a patch combined with LU ?

 

0
Login to vote