Posted on 05/13/2004 4:03:11 PM PDT by JoJo Gunn
Computer security specialist Symantec Thursday moved swiftly to patch for four very serious vulnerabilities in its popular Norton firewall product suite.
An alert from Cupertino, Calif.-based Symantec described the flaws as "high risk" and warned that a successful exploit could wipe out a user's computer. Attackers could also execute remote code with kernel-level privileges on the targeted system.
The vulnerabilities, first discovered by researchers at eEye Digital Security, affect both enterprise and consumer Norton users. Affected products include the Symantec Client Firewall 5.01 and 5.1.1; the Symantec Client Security 1.0, 1.1, 2.0 (SCF 7.1); the Norton Internet Security and Professional 2002, 2003, 2004; Norton Personal Firewall 2002, 2003, 2004; and the Norton AntiSpam 2004.
Independent research firm Secunia rates the flaws as "extremely critical" because they could lead to a destructive worm attack. "The vulnerability is very similar to the 'ICQ Response Buffer Overflow' vulnerability in various ISS products, which was already exploited by the "Witty" worm the day after it was disclosed to the public," Secunia warned.
Secunia CTO Thomas Kristensen told internetnews.com the vulnerabilities could be using UDP traffic, which could lead to a scenario of a "fast and violent" attack similar to the Slammer worm that exploited Microsoft SQL servers last year.
"It is important that people patch and upgrade their Symantec Firewall Products today as there is no other effective solution against this," Kristensen said.
For Symantec, the discovery of such a serious bug in products designed to provide PC security could be disastrous. The company has used the popularity -- and success -- of the Norton anti-virus brand to gain traction in the enterprise market with VPN and firewall management applications.
Now comes word that Norton firewalls can be exploited no matter how the firewall has been configured. To its credit, Symantec wasted no time in confirming the existing of the holes and rushing out fixes. Patches have been released through Symantec LiveUpdate and technical support channels.
Clients running consumer versions of the affected products who regularly run a manual Symantec LiveUpdate should be automatically protected against this issue. "However, to be sure they are fully protected, customers should manually run Symantec LiveUpdate to ensure all available updates are installed," the company said.
Enterprise users of Symantec Client Firewall or Symantec Client Security should download and apply patches obtained through their appropriate support channels. The company said it was unaware of any active attempts to exploit the flaws.
The flaws include a boundary error within the "SYMDNS.SYS" driver when processing certain NBNS (NetBIOS Name Service) datagrams. This bug can be exploited to cause a stack-based buffer overflow by sending a specially crafted NBNS response to a vulnerable system.
Most of the flaws leave users at risk of scenarios where an attacker could execute malicious code with kernel mode privileges.
BTTT for later
I've just looked over the site after posting this story, and there's not a mention of it anywhere on Symantec's site. Neither is it in the list when you manually bring up "Live Update".
http://www.symantec.com/index.htm
It never ceases to amaze me how, 34 years after the C programming language was invented, buffer overruns still plague software, get past QA and are exploited by haxors.
Find a surefire way to catch buffer overruns in code, and you will have found the programmer's Holy Grail.
no its time for laws to put the little kids that are doing this in the jug for a long long time. and monies must be there to back up the laws.
one more thing the little kids shall not have access to computers or data for 5 years.
Go Zonealarm! Free and it kicks @!#!@!.
The problem with Live Update they are sometimes broken down into more manageable pieces, to be downloaded over time. I suppose this is for dialup users.
For virus definitions, I go directly to this page and download the latest.
http://securityresponse.symantec.com/avcenter/download/pages/US-N95.html
I just set up a new Dell at work yesterday, and that 2004 Internet Security product came with it. It took three LIVE UPDATES and three reboots to get all the data current.
Gonna try it.
Yeah, I've noticed how it's in pieces whenever I do a reinstall. Part of it I can understand, since some things have to have a restart before the next can be accepted. And at the last there's the part for where you can make emergency floppies.
(Norton's had a lot of angry people, I gather, since the first of this year, with connection boxes popping up all the dang time after a certain update(s) they issued).
Ya, I don't understand it either.
I write a lot code in assembly where buffer overflows only result in a loss of buffer data not some nasty external data/code execution launcher.
bookmark bump
Urgent!
John / Billybob
Zone Alarm Pro bump.
Norton's firewall is like the Borg. It takes over your computer.
ZoneAlarm is your friend.
Bump
I honestly don't know.
Where I got this story was from a computer forum I like to hang around, and as you'll see it's one of the headlines at the top. It was just posted, oh maybe 15 minutes before I came here to post it. I posted something about it there at VDr first, but so far nobody has commented on it.
I myself am connecting okay, and usually manually click the update box in the tray and check for updates. Don't use auto-update since it slows things down right in the middle of something else, but I check every day. I just checked again and there's nothing yet, no new AV updates for today, nothing.
I almost hated to post, seeing as how the story's so hot there's no suggestions to anyone here. sigh Didn't NOT want to either, though.
http://discussions.virtualdr.com/
http://discussions.virtualdr.com/showthread.php?s=&postid=810648#post810648
Now myself and a friend, who both use NIS 2002 (I actually converted him) have the connection box problem, though he a heck of a lot worse than me). There's some rumors floating about that Norton has been trying to find people with bootlegged discs. I have no idea if it's true, if it's any part of the problem, but.... I'd downloaded ZoneAlarm a couple of years back and saved it somewhere, packrat that I am. Maybe it's time I went searching for that CD.
ZoneAlarm has been updated several times since then. You'd do better to download it again from their website. Current version is 4.5.594, and they have been beta-testing version 5.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.