Symantec Scrambles to Fix Firewall Flaws

Computer security specialist Symantec Thursday moved
swiftly to patch for four very serious vulnerabilities in its popular Norton
firewall product suite.

An alert from Cupertino, Calif.-based Symantec described the
flaws as “high risk” and warned that a successful exploit could wipe
out a user’s computer. Attackers could also execute remote code with
kernel-level privileges on the targeted system.

The vulnerabilities, first discovered by researchers at eEye Digital
Security, affect both enterprise and consumer Norton users. Affected
products include the Symantec Client Firewall 5.01 and 5.1.1; the Symantec
Client Security 1.0, 1.1, 2.0 (SCF 7.1); the Norton Internet Security and
Professional 2002, 2003, 2004; Norton Personal Firewall 2002, 2003, 2004;
and the Norton AntiSpam 2004.

Independent research firm Secunia rates the flaws as “extremely critical”
because they could lead to a destructive worm attack. “The vulnerability is
very similar to the ‘ICQ Response Buffer Overflow’ vulnerability in various
ISS products, which was already exploited by the “Witty” worm the day after
it was disclosed to the public,” Secunia warned.

Secunia CTO Thomas Kristensen told internetnews.com the
vulnerabilities could be using UDP traffic, which could lead to a scenario of
a “fast and violent” attack similar to the Slammer worm that exploited
Microsoft SQL servers last year.

“It is important that people patch and upgrade their Symantec Firewall
Products today as there is no other effective solution against this,”
Kristensen said.

For Symantec, the discovery of such a serious bug in products designed to
provide PC security could be disastrous. The company has used the
popularity — and success — of the Norton anti-virus brand to gain traction
in the enterprise market with VPN and firewall management
applications.

Now comes word that Norton firewalls can be exploited no matter how the
firewall has been configured. To its credit, Symantec wasted no time in
confirming the existing of the holes and rushing out fixes. Patches have
been released through Symantec LiveUpdate and technical support
channels.

Clients running consumer versions of the affected products who regularly
run a manual Symantec LiveUpdate should be automatically protected against
this issue. “However, to be sure they are fully protected, customers should
manually run Symantec LiveUpdate to ensure all available updates are
installed,” the company said.

Enterprise users of Symantec Client Firewall or Symantec Client Security
should download and apply patches obtained through their appropriate support
channels. The company said it was unaware of any active attempts to exploit
the flaws.

The flaws include a boundary error within the “SYMDNS.SYS” driver when
processing certain NBNS (NetBIOS Name Service) datagrams. This bug can be
exploited to cause a stack-based buffer overflow by sending a specially
crafted NBNS response to a vulnerable system.

Most of the flaws leave users at risk of scenarios where an attacker
could execute malicious code with kernel mode privileges.

News Around the Web