Norton and BlackICE firewall security flaws
Eidolon
Thread Starter
Norton and BlackICE firewall security flaws
Norton and BlackICE firewalls contain security flaws
March 29, 2004
John McCormick
Takeaway:
Serious security flaws have recently been discovered in popular desktop firewalls from Norton and Internet Security Systems.
There have been a slew of recent vulnerabilities discovered in the very security products that administrators and end users depend on to protect their systems. Security firms eEye Digital Security and NGSSoftware have reported discovering vulnerabilities in Norton Internet Security 2004, which can be exploited by attackers to compromise a system. Also affected are Norton Internet Security 2004 Professional and Norton Personal Firewall 2004. Vulnerabilities have also recently been discovered by eEye in all versions of the RealSecure and BlackICE firewalls from Internet Security Systems (ISS).
Details
One problem reported to Symantec on March 9, 2004, is a remotely-exploitable flaw that can allow an attacker to execute a denial of service attack against any system where the Norton software is installed using the default settings.
The ISS vulnerability, reported to the vendor on March 8, 2004, is also remotely exploitable and allows an attacker to gain system access to the vulnerable machines.
Fortunately, eEye is highly ethical in the way it discloses the vulnerabilities it discovers, and does not publish any more than the bare minimum information about these threats until the vendor has ample time to address them.
NGSSoftware has also reported a problem in Norton’s Anti-Spam utility (included with Internet Security 2004 and Internet Security 2004 Professional) that can result in a stack overflow and allow the attacker to run arbitrary code on vulnerable machines.
Applicability
Norton firewall products:
• Norton Internet Security 2004
• Norton Internet Security 2004 Professional
• Norton Personal Firewall 2004
ISS firewall products:
• All versions of ISS's RealSecure
• All versions of BlackICE
Risk level - Serious
These eEye reports appear to be pretty serious vulnerabilities, although I can’t be certain because extensive details weren’t immediately available.
NGSSoftware has released a few details, and these appear to be different threats from those alluded to by eEye but, because the eEye reports are preliminary, it is difficult to be certain.
Mitigating factors – Unknown
As I mentioned above, eEye is careful not to release any details until the vendors have had time to address the threats, and eEye itself doesn’t say anything about possible mitigating factors. With no details I couldn’t determine on my own if there are any useful mitigating factors at the time this report was released.
There are no mitigating factors for the vulnerabilities reported by NGSSoftware other than that they require the user to visit a malicious Web site or open an infected HTML e-mail.
Fix
None are reported available for the problems noted by eEye, but the two published by NGSSoftware are already patched by Symantec, and vulnerable systems will be repaired as soon as LiveUpdate is run.
Final word
I find this recent slew of serious holes in antivirus and firewall software extremely troublesome. I never really put much reliance on these things myself, but my clients depend on them very heavily and they, along with other businesses, tend to pay less attention to security simply because they feel that they have done all they need to do by installing and maintaining some of these big-name security utilities.
That’s reasonable enough; after all, the antivirus and firewall software available today is pretty effective if you configure it properly; however, I doubt many people realize that those security programs may themselves add new vulnerabilities to their systems.
Just to remind you, we’ve recently seen Symantec’s LiveUpdate block access to some Microsoft Office applications; there was a big hole in ZoneLab’s ZoneAlarm firewall; and News.com has reported in the past that security firm ISS X-Force found multiple vulnerabilities in Check Point Firewall-1 and Check Point VPN-1 Server as well as SecuRemote and SecureClient VPN clients. Back in February eEye reported other problems in ISS software. Those problems affected RealSecure, Proventia, and BlackICE. The list goes on and on.
March 29, 2004
John McCormick
Takeaway:
Serious security flaws have recently been discovered in popular desktop firewalls from Norton and Internet Security Systems.
There have been a slew of recent vulnerabilities discovered in the very security products that administrators and end users depend on to protect their systems. Security firms eEye Digital Security and NGSSoftware have reported discovering vulnerabilities in Norton Internet Security 2004, which can be exploited by attackers to compromise a system. Also affected are Norton Internet Security 2004 Professional and Norton Personal Firewall 2004. Vulnerabilities have also recently been discovered by eEye in all versions of the RealSecure and BlackICE firewalls from Internet Security Systems (ISS).
Details
One problem reported to Symantec on March 9, 2004, is a remotely-exploitable flaw that can allow an attacker to execute a denial of service attack against any system where the Norton software is installed using the default settings.
The ISS vulnerability, reported to the vendor on March 8, 2004, is also remotely exploitable and allows an attacker to gain system access to the vulnerable machines.
Fortunately, eEye is highly ethical in the way it discloses the vulnerabilities it discovers, and does not publish any more than the bare minimum information about these threats until the vendor has ample time to address them.
NGSSoftware has also reported a problem in Norton’s Anti-Spam utility (included with Internet Security 2004 and Internet Security 2004 Professional) that can result in a stack overflow and allow the attacker to run arbitrary code on vulnerable machines.
Applicability
Norton firewall products:
• Norton Internet Security 2004
• Norton Internet Security 2004 Professional
• Norton Personal Firewall 2004
ISS firewall products:
• All versions of ISS's RealSecure
• All versions of BlackICE
Risk level - Serious
These eEye reports appear to be pretty serious vulnerabilities, although I can’t be certain because extensive details weren’t immediately available.
NGSSoftware has released a few details, and these appear to be different threats from those alluded to by eEye but, because the eEye reports are preliminary, it is difficult to be certain.
Mitigating factors – Unknown
As I mentioned above, eEye is careful not to release any details until the vendors have had time to address the threats, and eEye itself doesn’t say anything about possible mitigating factors. With no details I couldn’t determine on my own if there are any useful mitigating factors at the time this report was released.
There are no mitigating factors for the vulnerabilities reported by NGSSoftware other than that they require the user to visit a malicious Web site or open an infected HTML e-mail.
Fix
None are reported available for the problems noted by eEye, but the two published by NGSSoftware are already patched by Symantec, and vulnerable systems will be repaired as soon as LiveUpdate is run.
Final word
I find this recent slew of serious holes in antivirus and firewall software extremely troublesome. I never really put much reliance on these things myself, but my clients depend on them very heavily and they, along with other businesses, tend to pay less attention to security simply because they feel that they have done all they need to do by installing and maintaining some of these big-name security utilities.
That’s reasonable enough; after all, the antivirus and firewall software available today is pretty effective if you configure it properly; however, I doubt many people realize that those security programs may themselves add new vulnerabilities to their systems.
Just to remind you, we’ve recently seen Symantec’s LiveUpdate block access to some Microsoft Office applications; there was a big hole in ZoneLab’s ZoneAlarm firewall; and News.com has reported in the past that security firm ISS X-Force found multiple vulnerabilities in Check Point Firewall-1 and Check Point VPN-1 Server as well as SecuRemote and SecureClient VPN clients. Back in February eEye reported other problems in ISS software. Those problems affected RealSecure, Proventia, and BlackICE. The list goes on and on.
The Oracle
Join Date: Aug 2001
Location: Naples, Florida U.S.A.
Posts: 2,902
Likes: 0
Received 0 Likes
on
0 Posts
swh,
Any software can be defeated. Just by having something in place will stop most attacks. If someone wants in your system and you are on the Internet, they will get in. It is that simple.
The good news is hackers do not want access to home PCs. They are after large corporations and government networks.
The point is, nothing is perfect, but by having either a Hardware or a Software Firewall, you are reasonably safe.
Take Care,
Richard
Any software can be defeated. Just by having something in place will stop most attacks. If someone wants in your system and you are on the Internet, they will get in. It is that simple.
The good news is hackers do not want access to home PCs. They are after large corporations and government networks.
The point is, nothing is perfect, but by having either a Hardware or a Software Firewall, you are reasonably safe.
Take Care,
Richard
Join Date: Jul 2002
Location: CYYC
Posts: 410
Likes: 0
Received 0 Likes
on
0 Posts
The software is written by humans, and can be defeated by a human determined enough to do so. Thankfully, as Richard pointed out, hackers are more interested in corporate networks, or unprotected computers. It's not really worth their time to try to break into personal computers with firewalls. If you don't have a firewall though, hackers are more than happy to use your computer for whatever they want to.
goates
goates
Join Date: Jul 2001
Location: EGKK
Posts: 67
Likes: 0
Received 0 Likes
on
0 Posts
I upgraded from Norton Internet Security 2002 to 2004 and ran their security check and found that it had left a hole in the firewall allowing access through the loc-srv port. I have to say that I was not best pleased about this but also found that activating the XP in-built firewall filled the hole, in fact the XP firewall appeared through the same security check to be a whole lot better than the NIS 2004 firewall. I would think carefully about purchasing a Norton firewall in the future, but just how good is the current XP in built firewall?
chc
chc
Spicy Meatball
Join Date: Jan 2004
Location: Liverpool UK
Age: 42
Posts: 1,115
Likes: 0
Received 0 Likes
on
0 Posts
I agree with what is said here - my general rule of thumb is that the firewall can be a mega super duper peice of kit but it will always only be as strong/secure as its very weakest point so if there are any gaps in it then the lot is a waste of time.
Regards
Maz
Regards
Maz
Join Date: Jul 2002
Location: CYYC
Posts: 410
Likes: 0
Received 0 Likes
on
0 Posts
carbheatcold,
XP's built-in firewall only stops attemps by external attacks on your computer. If you get a trojan or one of the many email viruses that initiate a connection from your computer, it will do nothing. This is why it is better to use Zone Alarm, Norton Firewall (properly configured) or another third party firewall.
Microsoft is strengthing the firewall in the XP Service Pack 2 release coming out this summer, but it remains to be seen exactly how far they take it.
goates
XP's built-in firewall only stops attemps by external attacks on your computer. If you get a trojan or one of the many email viruses that initiate a connection from your computer, it will do nothing. This is why it is better to use Zone Alarm, Norton Firewall (properly configured) or another third party firewall.
Microsoft is strengthing the firewall in the XP Service Pack 2 release coming out this summer, but it remains to be seen exactly how far they take it.
goates
Join Date: May 2002
Location: Cheshire, UK
Age: 56
Posts: 500
Likes: 0
Received 0 Likes
on
0 Posts
Worrying indeed - I use Black Ice products personally as they were used at a major international bank I worked for.
Still yet to see any patches from them so I am shopping around.
I think I may go with Richard's suggestion of a hardware firewall.
Richard, it's an old Compaq 233Mhz PC. I am sure it can handle 2 NICs. What do you recommend as an OS ?
Quite familiar with Checkpoint 1, Nokia firewalls, Norton etc
What, if any are the issues with NAT and an ISP ? My ISP may or may not support fixed IP - not an issue up to now.
Also considering a wireless router where NAT becomes an issue.
Cheers
Still yet to see any patches from them so I am shopping around.
I think I may go with Richard's suggestion of a hardware firewall.
Richard, it's an old Compaq 233Mhz PC. I am sure it can handle 2 NICs. What do you recommend as an OS ?
Quite familiar with Checkpoint 1, Nokia firewalls, Norton etc
What, if any are the issues with NAT and an ISP ? My ISP may or may not support fixed IP - not an issue up to now.
Also considering a wireless router where NAT becomes an issue.
Cheers
The Oracle
Join Date: Aug 2001
Location: Naples, Florida U.S.A.
Posts: 2,902
Likes: 0
Received 0 Likes
on
0 Posts
Lost_luggage34,
With a 233Mhz CPU I would recommend running Win98SE. It is not worth running Win2k and it will not run WinXP.
Take Care,
Richard
P.S. With a hardware firewall (Router) you would only need one NIC in the computer.
With a 233Mhz CPU I would recommend running Win98SE. It is not worth running Win2k and it will not run WinXP.
Take Care,
Richard
P.S. With a hardware firewall (Router) you would only need one NIC in the computer.
Join Date: Jul 2001
Location: EGKK
Posts: 67
Likes: 0
Received 0 Likes
on
0 Posts
Goates,
I have my Norton firewall setup as it installed itself through defaults I would imagine. What and where should I be looking to ensure that it is properly configured? I have not looked too hard but I have struggled to find good Norton info on setting it up. Appreciate any suggestions.
chc
I have my Norton firewall setup as it installed itself through defaults I would imagine. What and where should I be looking to ensure that it is properly configured? I have not looked too hard but I have struggled to find good Norton info on setting it up. Appreciate any suggestions.
chc
Join Date: Jul 2002
Location: CYYC
Posts: 410
Likes: 0
Received 0 Likes
on
0 Posts
chc,
I think this site has some tips on Norton/Symantec Internet Firewall. I can't remember if it's in the Leak Test or Shields Up sections. The issue had to do with the program automatically creating rules for programs. It may not affect the most recent version though.
I have just recently installed Norton Internet Security at home and am still playing with it myself. I'll post what I find though.
goates
I think this site has some tips on Norton/Symantec Internet Firewall. I can't remember if it's in the Leak Test or Shields Up sections. The issue had to do with the program automatically creating rules for programs. It may not affect the most recent version though.
I have just recently installed Norton Internet Security at home and am still playing with it myself. I'll post what I find though.
goates
Spicy Meatball
Join Date: Jan 2004
Location: Liverpool UK
Age: 42
Posts: 1,115
Likes: 0
Received 0 Likes
on
0 Posts
I got so sick of Norton products cos they kept conflicting with all kinds of hard/soft ware. I now use Sygate Personal firewall instead - much better IMHO 
