[ISN] Security hole found in Symantec update tool

From: InfoSec News (isnat_private)
Date: Fri Oct 12 2001 - 04:47:08 PDT

  • Next message: InfoSec News: "[ISN] Bin Laden's Felt-Skinned Henchman"

    http://news.cnet.com/news/0-1003-200-7488924.html?tag=mn_hd
    
    By CNET News.com Staff 
    October 11, 2001, 10:45 a.m. PT 
    By Wendy McAuliffe 
    
    A group of German hackers have exposed a vulnerability in Symantec's
    software for updating antivirus software and other programs, which
    could be used to download and run hostile code from an unauthorized
    server.
    
    Symantec, which makes antivirus and security software, has confirmed
    that older versions of its virus definition software will allow
    malicious programs such as Trojan horses and the remote penetration of
    systems running version 1.4 of LiveUpdate to occur. The risk of
    unauthorized intrusion is lessened on systems running the latest
    version 1.6, but network degradation and outages could still be
    possible.
    
    German hacking group Phenoelit spotted the security hole and insists
    that LiveUpdate could be forced to download illicit programs onto the
    PC. "When LiveUpdate 1.4 is started (either by hand or by a scheduled
    task), it looks for the server 'update.symantec.com'," states the
    Phenoelit bulletin. "An attacker can use one of several attacks to
    return false information to the querying host."
    
    According to the Phenoelit alert, when the host running LiveUpdate
    tries to connect to update.symantec.com via FTP, it is possible for an
    attacker to redirect the request to a server of their choice.
    LiveUpdate will then try to download the necessary files, which will
    be compared with existing versions of Symantec software installed on
    the host to see if an upgrade is needed. LiveUpdate will then
    uncompress the files and perform the actions described in their
    coding, which includes the execution of downloadable attachments.
    
    LiveUpdate 1.6 follows the same update procedure but includes the
    safeguard of "cryptographic signatures" of all update files. According
    to Symantec, this makes it virtually impossible to use the latest
    version as a penetration tool.
    
    Misdirection attacks can also be controlled by Norton AntiVirus
    products, which are designed to detect and block malicious programs.
    
    While acknowledging the vulnerability, Symantec blamed much of the
    problem on inherent flaws in the domain name system (DNS), the format
    used to identify servers on the Internet. "The DNS attacks...have been
    widely known to be an Internet infrastructure problem, not a Symantec
    product problem, for some time and have been utilized in many
    well-publicized DNS spoofing, redirection, cache poisoning attacks," a
    Symantec statement said.
    
    The statement also said that although LiveUpdate 1.6 could be hit by a
    denial of service attack, "only a small percentage of a very large
    user base could potentially be impacted to any degree, as the spoofing
    or redirection would, by its very nature, be limited to a local
    Internet area/region."
    
    Symantec is encouraging users to upgrade to LiveUpdate 1.6 if they are
    still relying on the four-year-old 1.4 version.
    
    Staff writer Wendy McAuliffe reported from London.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Fri Oct 12 2001 - 06:36:24 PDT