Today I got an email that says there is a vulnerability in SEPM that requires immediate attention. I have customers with SEPM, so if this is true, I care about it.

Question #1: Is this phishing? The email isn't actually from symantec.com. It's from symantec-corporation.com. Whois says the registrar is in Australia, but the domain is owned by some email addresses at symantec.com. So probably not phishing, but why why why do these big companies always insist on sending emails from a secondary domain nobody's seen before? Oh well, moving on...

Question #2: What is the impact of this? The email doesn't say, except to tell me that I must immediately update. It doesn't say what version I need to update to or anything like that - just SOMETHING IS BAD UPDATE NOW!!!. There's a link to Symantec FileConnect, which just goes to a page requesting a serial number. As far as I can tell there's nowhere in SEPM to get this, and of course this impacts the customers who haven't adopted configuration management, so I have to go search for the serial number. SEPM does have LiveUpdate internally, so I manually triggered it, but it doesn't look like this update is available anywhere from within the software.

Ok, there's another couple links. One goes to a page that says that you can apply the update or else block firewall ports and lose functionality. Well sure, I'd like to apply the update. There's also another link to the FileConnect serial number request page.

The second link from the email goes to a security advisory, which says that the problem is a cross-site and SQL injection vulnerability. Bad stuff, though it would be much worse if my SEPM was exposed to the open Internet (?!?? who does that?). And there's yet another link to FileConnect.

OK, fine, the world will come to an end if I don't dig up the serial number. So I root around the customer files until I come up with it. So now that I've finally entered the magical wonderland of FileConnect - but wait. The only thing on here is a bunch of links, all dated 2011, to download SEPM 12.1 in different languages. There's no mention whatsoever of this uber-critical patch.

So, hmm, "International English" seems better than Czech or "Brazilian" (which I assume means Portugese?). Now what. Well, we have the install files for SEPM 12.1.4a. "Part 1" is 1.7 GB and "SEPM_EN" is 1.4 GB. Which one do I need? Apparently I have to go read the documentation as if doing a new install.

But wait - the advisory said I had to upgrade to "SEPM 12.1 RU4a SBE (12.1.4023.4080)." Is this the same as the version 12.1.4a listed on the page? No way to tell whatsoever. If you click on the release notes, they only go up to 12.1.4 (12.1 RU4). Well, it seems that you can replace "RU" with a dot, so presumably this is the right version. But the minor version number (12.1.4023.4080)? As far as I can tell, you have to download multiple gigabytes before you find out what you're getting. And of course this is installed at the customer with the slow and overloaded AT&T DSL link.

I mean, yes, I understand there's a vulnerability and I want to patch it. But should it take me a day of work to do it?

At this point, between the Backup Exec 2012 fiasco, the sudden unexpected cancellation of Backup Exec.Cloud, and everything else going on at Symantec lately, I wouldn't be at all surprised if my next email from them said they were getting out of the antivirus business in order to focus on manufacturing big red prosthetic noses and curly purple wigs.

Seriously ... has anyone else done this update and is there any kind of short-cut to it? Or do you really have to re-download and re-install the entirety of SEPM?

Edit: Just found the other thread of this here.