Re: [ISN] Security hole found in Symantec update tool

From: InfoSec News (isnat_private)
Date: Mon Oct 15 2001 - 01:02:42 PDT

  • Next message: InfoSec News: "Re: [ISN] Experts: Cyberspace could be next target"

    Forwarded from: Paul Cardon <paulat_private>
    InfoSec News wrote:
    > While acknowledging the vulnerability, Symantec blamed much of the
    > problem on inherent flaws in the domain name system (DNS), the
    > format used to identify servers on the Internet. "The DNS
    > attacks...have been widely known to be an Internet infrastructure
    > problem, not a Symantec product problem, for some time and have
    > been utilized in many well-publicized DNS spoofing, redirection,
    > cache poisoning attacks," a Symantec statement said.
    Bah.  It IS a Symantec product problem because they were relying on an
    intrustable infrastructure rather than using a mechanism to actually
    authenticate the Live Update server or the data it provides to the
    client like they do with the newer version.  Blaming the
    infrastructure is disingenuous at best.  If a system is to be secure,
    the trustability and validity of ALL externally provided input must be
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Mon Oct 15 2001 - 03:10:58 PDT