Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Mailbag: MS Patches / Symantec Vuln

Published: 2007-05-10
Last Updated: 2007-05-11 13:03:24 UTC
by Daniel Wesemann (Version: 2)
0 comment(s)
Some readers reported 99% CPU eaten up by svchost.exe after they had applied the recent batch of MS updates. Cause and effect are not quite clear, but a common thread seems to be that MS recommend a look at KBID 927891 and some readers have also pointed us to the WSUS Blog where the same issue is mentioned. According to another ISC reader, to resolve the issue it is necessary to first apply 927891, and then to do the WU client upgrade.

David from the UK (thanks David) writes the following on the svchost.exe issue.
"The problem is due to the Automatic Update Service which uses the Generic Host Service which runs a svchost.exe process. If you switch off the Automatic Update Service the problem with svchost.exe using 100% of the CPU cycles stops. Once you have done all of the updates you can switch the Automatic Updates Service back on."
Some of the retail user versions of Symantec AV come with an ActiveX component that can be exploited to allow remote code execution. More on Symantec's Website . According to the advisory, running the built-in "LiveUpdate" of the product should be sufficient to fix the vulnerability.
Keywords:
0 comment(s)
Diary Archives