Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Upcoming MySQL patch fixes several critical vulnerabilites

Published: 2010-05-16
Last Updated: 2010-05-21 22:58:10 UTC
by Rick Wanner (Version: 2)
1 comment(s)

William wrote in to let us know that the changelog to upcoming release to MySQL, version 5.1.47, has been released, and it appears this release fixes several critical vulnerabilities and probably should be applied as quickly as is reasonable.  What is interesting is that although a relatively detailed changelog is available which describes in some detail the vulnerabilities being addressed, which could be interesting to attackers, I could not find any information on when the 5.1.47 release would be available.

If anyone can provide a pointer to this release information, please pass it on to us.

 

Update May 21st....5.1.47 is now available

-- Rick Wanner - rwanner at isc dot sans dot org

Keywords: mysql
1 comment(s)

Symantec triggers on World of Warcraft update

Published: 2010-05-16
Last Updated: 2010-05-17 03:41:37 UTC
by Rick Wanner (Version: 1)
10 comment(s)

We have had a couple of reports over the last 24 hour of users experiencing issues with Symantec anti-virus products triggering on scan.dll.new which is a component of World of Warcraft.

Judging by the traffic on this topic in the WoW forums it would appear these are not isolated reports.

The detailed version of the alert is:

Severity = High
Activity = Auto-Protect has detected Infostealer
Date & Time = 15/05/2010 (various times from 9:00 to now)
Status = Blocked
Recomended Action = Resolved no action

Risk Catagory = Virus
Definitions Version 2010.05.14.048
Severity = High
Component = Auto-Protect
Status = Blocked
File Name = c:userspublicworld of warcraftscan.dll.new

What I find interesting in this case is not that we have another anti-virus false positive, but that Symantec is listing scan.dll.new  as an InfoStealer and that it appears this false positive has happened on past World of Warcraft patches/updates that created a file called scan.dll.new. What exactly are they triggering on?  Is this an old signature from a previous issue? 

I have been interested for a while in the accuracy of Anti-Virus products in the modern computing world.  The Anti-Virus paradigm we have used since the 80's  is seriously flawed, and in my opinion is slowly unraveling. The rash of false positives in recent months is just one symptom of that.

I have been watching with great interest the attempts to develop a new paradigm that fits better in the modern computing reality.  Most of these are attempts at more heuristic or behavior based products that rely less on signatures. It seems to me that since these attempts require a little more "fuzzy" approach to anti-virus won't these sorts of false positives likely become more common, not less?

Are we getting to the point where software providers are going to have to start testing their updates against common anti-virus products before release?

As usual I am interested in your opinions.  You can submit them either via our comment mechanism at the bottom of this diary, or via our contact page.

 

-- Rick Wanner - rwanner at isc dot sans dot org

 

P.S.  If any anti-virus companies have any documentation on futuristic anti-malware research directions that they can let me read I would be fascinated to have it.

10 comment(s)
Diary Archives