5.29.2006

What Symantec Could Learn from Microsoft

People can joke all they want about the number and severity of Microsoft security vulnerabilities, but all this practice has enabled them to develop an excellent security response system.

Symantec should take note.  Their most recent security vulnerability (SYM06-010) has spawned a confusing array of maintenance and point patches.  Initial media reports claimed that only version 10.1 was affected.  However, after reviewing the most recent Symantec e-mail bulletin it appears that version 10.0 is affected as well.

In Symantec’s defense, the vulnerability information page for SYM06–010 is fairly well laid out.  In fact, I like that I don’t need to expand a nested hierarchy to get the information I’m looking for.  See Microsoft security bulletin MS06–018 as an example.  Scroll down to the General Information section… why should I have to click so many ‘+’ symbols?  At least give me an expand all option or something.

Oh, and this guys post is classic.  According to him, now that a patch is released there’s nothing to worry about.  Here’s his quote:

“The issues of remote code execution have been resolved now, thanks to the fix which means that the products are no longer vulnerable to a stack overflow”

Please move along… nothing to see here.  What a joke.  How many people spent their holiday weekend patching Symantec products?  Not very many, I’m sure.  This issue will continue to dog Symantec for many weeks to come.  I sincerely hope we don’t see any widespread attacks as a result of this vulnerability.  Anyway, it’s too bad we have a double-standard when it comes to reporting security issues.

Here is a list of things I’d like to see from Symantec:

  • Simplify the servicing of your software.  Not everyone understands the difference between maintenance releases, point releases, etc.
  • Offer an RSS feed of Symantec product vulnerabilities (including Veritas and other recent acquisitions).  The Symantec Security Response page would be a good place to locate such a feed.
  • Provide a security bulletin search tool similar to the Microsoft one found here.  Let me choose my product version, my OS, etc. and show all applicable updates.

What do you think?  If you’re a Symantec customer, how did you learn about the SYM06–010 vulnerability?  What about vulnerabilities 001 through 009?