RealTime IT News

Symantec Scrambles to Fix Firewall Flaws

Computer security specialist Symantec Thursday moved swiftly to patch for four very serious vulnerabilities in its popular Norton firewall product suite.

An alert from Cupertino, Calif.-based Symantec described the flaws as "high risk" and warned that a successful exploit could wipe out a user's computer. Attackers could also execute remote code with kernel-level privileges on the targeted system.

The vulnerabilities, first discovered by researchers at eEye Digital Security, affect both enterprise and consumer Norton users. Affected products include the Symantec Client Firewall 5.01 and 5.1.1; the Symantec Client Security 1.0, 1.1, 2.0 (SCF 7.1); the Norton Internet Security and Professional 2002, 2003, 2004; Norton Personal Firewall 2002, 2003, 2004; and the Norton AntiSpam 2004.

Independent research firm Secunia rates the flaws as "extremely critical" because they could lead to a destructive worm attack. "The vulnerability is very similar to the 'ICQ Response Buffer Overflow' vulnerability in various ISS products, which was already exploited by the "Witty" worm the day after it was disclosed to the public," Secunia warned.

Secunia CTO Thomas Kristensen told internetnews.com the vulnerabilities could be using UDP traffic, which could lead to a scenario of a "fast and violent" attack similar to the Slammer worm that exploited Microsoft SQL servers last year.

"It is important that people patch and upgrade their Symantec Firewall Products today as there is no other effective solution against this," Kristensen said.

For Symantec, the discovery of such a serious bug in products designed to provide PC security could be disastrous. The company has used the popularity -- and success -- of the Norton anti-virus brand to gain traction in the enterprise market with VPN and firewall management applications.

Now comes word that Norton firewalls can be exploited no matter how the firewall has been configured. To its credit, Symantec wasted no time in confirming the existing of the holes and rushing out fixes. Patches have been released through Symantec LiveUpdate and technical support channels.

Clients running consumer versions of the affected products who regularly run a manual Symantec LiveUpdate should be automatically protected against this issue. "However, to be sure they are fully protected, customers should manually run Symantec LiveUpdate to ensure all available updates are installed," the company said.

Enterprise users of Symantec Client Firewall or Symantec Client Security should download and apply patches obtained through their appropriate support channels. The company said it was unaware of any active attempts to exploit the flaws.

The flaws include a boundary error within the "SYMDNS.SYS" driver when processing certain NBNS (NetBIOS Name Service) datagrams. This bug can be exploited to cause a stack-based buffer overflow by sending a specially crafted NBNS response to a vulnerable system.

Most of the flaws leave users at risk of scenarios where an attacker could execute malicious code with kernel mode privileges.