Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Symantec Code-Signing Mistake Leaves Norton Users PIFTS Off

Coding error leads to speculation and conspiracy theories -- but no data loss

A coding error in a recent patch of Symantec's Norton security products has caused a great buzz among security experts -- and a few conspiracy theories -- across the Web.

A file called PIFTS.exe was flagged by security researchers and malware detectors in the most recent patch of Norton Internet Security and Norton Antivirus 2006 and 2007, which was issued just days ago. The file appeared to be collecting data from users' PCs and sending it back to a server at Symantec, causing many security pros to wonder what the company was up to.

A number of users attempted to discuss the problem on the Symantec user forum, but their messages were summarily deleted by Symantec, fueling speculation that something sinister was afoot.

After much user discussion, however, a few hours ago Symantec finally published a blog explaining the PIFTS problem. Apparently, PIFTS stands for Product Information Troubleshooter, and it's a simple tool that helps Symantec collect information about how and when its patches are installed.

The most recent release of PIFTS was left unsigned by Symantec developers, which triggered an alert from malware detectors that the file might not be authentic. Symantec called the problem a "human coding error."

During the discussion of PIFTS on the Symantec user forum, a spammer submitted some 600 new posts to the thread in less than an hour. In an effort to stop the spam attack, the company was forced to delete all of the posts in the thread, the security company explained.

Symantec said the PIFTS error has been fixed and that no private user information was collected by the file. However, Symantec did warn that some phishers have been seen taking advantage of the problem to steer users to malicious code sites; it cautioned users to be wary of Google search results that promise explanations or solutions to the PIFTS problem.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Cybersecurity Industry: It's Time to Stop the Victim Blame Game
Jessica Smith, Senior Vice President, The Crypsis Group,  2/25/2020
Google Adds More Security Features Via Chronicle Division
Robert Lemos, Contributing Writer,  2/25/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-27
In Wireshark 3.2.0 to 3.2.1, 3.0.0 to 3.0.8, and 2.6.0 to 2.6.14, the LTE RRC dissector could leak memory. This was addressed in epan/dissectors/packet-lte-rrc.c by adjusting certain append operations.
PUBLISHED: 2020-02-27
openssl_x509_check_host in lua-openssl 0.7.7-1 mishandles X.509 certificate validation because it uses lua_pushboolean for certain non-boolean return values.
PUBLISHED: 2020-02-27
openssl_x509_check_email in lua-openssl 0.7.7-1 mishandles X.509 certificate validation because it uses lua_pushboolean for certain non-boolean return values.
PUBLISHED: 2020-02-27
openssl_x509_check_ip_asc in lua-openssl 0.7.7-1 mishandles X.509 certificate validation because it uses lua_pushboolean for certain non-boolean return values.
PUBLISHED: 2020-02-27
Type confusion in V8 in Google Chrome prior to 80.0.3987.116 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.