Endpoint Protection

Hello all , It has been recently discovered about the SEP Zero Day Vunerability ( Privalage Escalation ). 

To fix it Symantec has released SEP 12.1.4 MP1 b. Now please kindly confirm that is this a delta upgrade or full upgrade ? when we do it using AutoUpgrade. 

1. Is this SEP 12.1.4 MP1 for clients only meaning important the package into SEPM or Upgrade SEPM to this version so that new clients versions are automatically added
    
2. when upgrading clients from 12.1.4 MP1 a to 12.1.4 MP1 b via Auto Upgrade is this a Delta Upgrade or Full Upgrade.

Waiting for your kind response on this. Thanks

Any 1 please like to comment on this 

1) Is this SEP 12.1.4 MP1 for clients only meaning important the package into SEPM or Upgrade SEPM to this version so that new clients versions are automatically added

You can add SEP client package only.NO need to upgrade SEPM.

See this thread

https://www-secure.symantec.com/connect/forums/permanent-fix-symantec-endpoint-protection-zero-day-vulnerability

James Is this SEP 12.1.4 MP1 (b) delta upgrade or full upgrade when done via AutoUpgrade ?

In SEP 12.x  may be it's delta upgrade

1. Is this SEP 12.1.4 MP1 for clients only meaning important the package into SEPM or Upgrade SEPM to this version so that new clients versions are automatically added

yes, you can import package into SEPM console and push the package to the agents.

1. when upgrading clients from 12.1.4 MP1 a to 12.1.4 MP1 b via Auto Upgrade is this a Delta Upgrade or Full Upgrade.

when done via autoupgrade feature, it will be delta file sent to the agents.

Pete thanks for your response. Ok you have clearified that when clients are upgraded to 12.1.4 MP1 (b) from 12.1.4 MP1 (a) It will be a delta upgrade when done via AutoUpgrade, right ?

Secondly could you please shed some light on this newer version of 12.1.4 MP1 (b) as what it does exactly to fix this vunerability ? does it remove the Application and device control as what it does ?

your response on this would be highly appreciated. Thanks

Check this

Offensive Security reports of Symantec Endpoint Protection zero-day vulnerability (July 2014)

Security Advisories Relating to Symantec Products - Symantec Endpoint Protection Local Client Application Device Control Buffer Overflow

http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20140804_00

The sysplant driver, loaded as part of the Application and Device Control (ADC) component on a SEP client, does not do sufficient validation of external input which could result in a local client BSOD denial of service or, if successfully exploited, potentially local elevation of privilege on the client system.

Symantec Response
Symantec product engineers verified this issue and have created an update to resolve it. Customers should use the mitigation described below until the available update can be installed to address this issue. 

It patches the sysplant driver

Just wanted to point out there was no such thing as a RU4 MP1a SEP Agent, that version ONLY applied to the SEPM, and it came with the previous RU4 MP1 SEP agent.

Now with the release of RU4 MP1b to address the 0-day vuln, Symantec staff have stated the SEPM code is the same, and the SEP Agent is now up to version RU4 MP1b. That said I have yet to install this to verify, but judging by their comments here, the version of the SEPM should be still be that of RU4 MP1a.

It ddoesn't help that they simply don't refer to their products by the number version, all this letter approaches just confuses folks here it seems.