Norton and BlackICE firewalls contain security flaws
March 29, 2004
John McCormick
Takeaway:
Serious security flaws have recently been discovered in popular desktop firewalls from Norton and Internet Security Systems.
There have been a slew of recent vulnerabilities discovered in the very security products that administrators and end users depend on to protect their systems. Security firms eEye Digital Security and NGSSoftware have reported discovering vulnerabilities in Norton Internet Security 2004, which can be exploited by attackers to compromise a system. Also affected are Norton Internet Security 2004 Professional and Norton Personal Firewall 2004. Vulnerabilities have also recently been discovered by eEye in all versions of the RealSecure and BlackICE firewalls from Internet Security Systems (ISS).
Details
One problem reported to Symantec on March 9, 2004, is a remotely-exploitable flaw that can allow an attacker to execute a denial of service attack against any system where the Norton software is installed using the default settings.
The ISS vulnerability, reported to the vendor on March 8, 2004, is also remotely exploitable and allows an attacker to gain system access to the vulnerable machines.
Fortunately, eEye is highly ethical in the way it discloses the vulnerabilities it discovers, and does not publish any more than the bare minimum information about these threats until the vendor has ample time to address them.
NGSSoftware has also reported a problem in Norton’s Anti-Spam utility (included with Internet Security 2004 and Internet Security 2004 Professional) that can result in a stack overflow and allow the attacker to run arbitrary code on vulnerable machines.
Applicability
Norton firewall products:
• Norton Internet Security 2004
• Norton Internet Security 2004 Professional
• Norton Personal Firewall 2004
ISS firewall products:
• All versions of ISS's RealSecure
• All versions of BlackICE
Risk level - Serious
These eEye reports appear to be pretty serious vulnerabilities, although I can’t be certain because extensive details weren’t immediately available.
NGSSoftware has released a few details, and these appear to be different threats from those alluded to by eEye but, because the eEye reports are preliminary, it is difficult to be certain.
Mitigating factors – Unknown
As I mentioned above, eEye is careful not to release any details until the vendors have had time to address the threats, and eEye itself doesn’t say anything about possible mitigating factors. With no details I couldn’t determine on my own if there are any useful mitigating factors at the time this report was released.
There are no mitigating factors for the vulnerabilities reported by NGSSoftware other than that they require the user to visit a malicious Web site or open an infected HTML e-mail.
Fix
None are reported available for the problems noted by eEye, but the two published by NGSSoftware are already patched by Symantec, and vulnerable systems will be repaired as soon as LiveUpdate is run.
Final word
I find this recent slew of serious holes in antivirus and firewall software extremely troublesome. I never really put much reliance on these things myself, but my clients depend on them very heavily and they, along with other businesses, tend to pay less attention to security simply because they feel that they have done all they need to do by installing and maintaining some of these big-name security utilities.
That’s reasonable enough; after all, the antivirus and firewall software available today is pretty effective if you configure it properly; however, I doubt many people realize that those security programs may themselves add new vulnerabilities to their systems.
Just to remind you, we’ve recently seen Symantec’s LiveUpdate block access to some Microsoft Office applications; there was a big hole in ZoneLab’s ZoneAlarm firewall; and News.com has reported in the past that security firm ISS X-Force found multiple vulnerabilities in Check Point Firewall-1 and Check Point VPN-1 Server as well as SecuRemote and SecureClient VPN clients. Back in February eEye reported other problems in ISS software. Those problems affected RealSecure, Proventia, and BlackICE. The list goes on and on.
