Forwarded from: Chris Wysopal <weld@private> To: security curmudgeon <jericho@private> cc: InfoSec News <isn@private> Your list of vulnerabilities in security products brings up an issue that is often lost on people. When you add a band aid instead of fixing the root problem you are always adding risk. It is hard for people to understand but sometimes you are lowering overall security by adding a new layer with its attendant design and implementation flaws. We had a customer that was not satisfied with IIS basic auth security over SSL. So what did the do? They added a single sign on ISAPI plugin. Well that plugin had a buffer overflow that allowed you to not only login with no credentials but execute code on the server. The moral is unless you do security acceptance testing on the components you are adding, you are just guessing that you are increasing security. The poor track record of even security products companies is the evidence. -weld On Thu, 20 Nov 2003, security curmudgeon wrote: > > : http://www.eweek.com/article2/0,4149,1390273,00.asp > : > : November 19, 2003 > : By Dennis Fisher > : > : LAS VEGAS - If software vendors and security companies don't get their > : act together and start producing better products, users will begin > : dropping off the Internet out of sheer frustration, predicted John > : Thompson, chairman and CEO of Symantec Corp., in his keynote speech at > : Comdex here Wednesday. > : > : Thompson challenged vendors to begin turning out more secure software > : solutions and to take the initiative in trying to protect customers from > : attackers and themselves. If that doesn't come to pass, then Internet > : users—especially less savvy consumers—will reduce the amount of time > : they spend on the Internet and only use it when they absolutely need to. > > Symantec PCAnywhere Chat Client Privilege Escalation Vulnerability > http://www.securityfocus.com/bid/9052 > > Symantec PCAnywhere Privilege Escalation Vulnerability > http://www.securityfocus.com/bid/9045 > > Symantec Norton Internet Security Error Message Cross-Site Scripting > http://www.securityfocus.com/bid/8904 > > Symantec AntiVirus For Handhelds Scanning Bypass Vulnerability > http://www.securityfocus.com/bid/8639 > > Symantec Norton AntiVirus Device Driver Memory Overwrite Vulnerability > http://www.securityfocus.com/bid/8329 > > Symantec Quarantine Server Disconnect Denial Of Service Vulnerability > http://www.securityfocus.com/bid/8306 > > Symantec NAVCE Failure To Scan Floppy Disks Vulnerability > http://www.securityfocus.com/bid/8077 > > Symantec Security Check RuFSI ActiveX Control Buffer Overflow Vulnerability > http://www.securityfocus.com/bid/8008 > > Symantec Enterprise Firewall HTTP Pattern Matching Evasion Weakness > http://www.securityfocus.com/bid/7196 > > Symantec Norton Internet Security ICMP Packet Flood Denial Of Service > http://www.securityfocus.com/bid/6598 > > Symantec Enterprise Firewall RealAudio Proxy Buffer Overflow Vulnerability > http://www.securityfocus.com/bid/6389 > > Symantec Java! JustInTime Compiler Command Execution Vulnerability > http://www.securityfocus.com/bid/6222 > > Symantec NAVCE Privilege Escalation Vulnerability > http://www.securityfocus.com/bid/5966 > > Multiple Symantec HTTP Proxy Denial of Service Vulnerability > http://www.securityfocus.com/bid/5958 > > Multiple Symantec HTTP Proxy Information Disclosure Vulnerability > http://www.securityfocus.com/bid/5959 > > Symantec VelociRaptor Denial of Service Vulnerability > http://www.securityfocus.com/bid/5909 > > Multiple Symantec Product Weak TCP Initial Sequence Number Vulnerability > http://www.securityfocus.com/bid/5387 > > Symantec Norton Personal Firewall/Internet Security 2001 Buffer Overflow Vulnerability > http://www.securityfocus.com/bid/5237 > > Symantec Norton Personal Firewall 2002 Portscan Protection Bypass Vulnerability > http://www.securityfocus.com/bid/4521 > > Symantec Raptor / Enterprise Firewall FTP Bounce Vulnerability > http://www.securityfocus.com/bid/4522 > > Symantec Norton Personal Firewall 2002 Fragmented Packet Vulnerability > http://www.securityfocus.com/bid/4545 > > Symantec Norton AntiVirus NULL Characters Incoming Email Protection Bypass Vulnerability > http://www.securityfocus.com/bid/4242 > > Symantec Norton AntiVirus Non-RFC Compliant Email Protection Bypass Vulnerability > http://www.securityfocus.com/bid/4243 > > Symantec Norton AntiVirus Excluded Filetype Email Protection Bypass Vulnerability > http://www.securityfocus.com/bid/4245 > > Symantec Norton AntiVirus Conflicting MIME Header Vulnerability > http://www.securityfocus.com/bid/4246 > > Symantec Ghost Corporate Edition 7.0 Plain Text Credentials Vulnerability > http://www.securityfocus.com/bid/4181 > > Symantec Norton Antivirus LiveUpdate Plaintext Credentials Vulnerability > http://www.securityfocus.com/bid/4170 > > Symantec Enterprise Firewall Notify Daemon SNMP Data Loss Vulnerability > http://www.securityfocus.com/bid/4139 > > Symantec Enterprise Firewall SMTP Proxy Information Leak Vulnerability > http://www.securityfocus.com/bid/4141 > > Symantec Norton Antivirus LiveUpdate Host Verification Vulnerability > http://www.securityfocus.com/bid/3403 > > Symantec Norton Antivirus LiveUpdate DoS Vulnerability > http://www.securityfocus.com/bid/3413 > > Symantec Ghost Configuration Server DoS Attack > http://www.securityfocus.com/bid/2570 > > Symantec pcAnywhere Port Scan DoS Vulnerability > http://www.securityfocus.com/bid/1150 > > Symantec pcAnywhere Weak Encryption Vulnerability > http://www.securityfocus.com/bid/1093 > > Symantec Mail-Gear Directory Traversal Vulnerability > http://www.securityfocus.com/bid/827 > > Hrm? > > : "There is no cost [to send spam]; therefore, people send all kinds of > : junk. Service providers can fix this by changing the economics of the > : situation," he said. "Don't rely on legislative initiatives. A simple > : technology solution solves this problem. You know what's coming through > : your network. If someone is sending 100,000 e-mails, block them. I don't > : understand why you need to appeal to the government." > > Great theory, but I wonder. If the solution is SO easy, and requires > e-mail senders to pay for each outgoing email, why hasn't Symantec > developed the solution? If it is that easy, then Symantec could easily > jump into a billion+ dollar cash cow. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Nov 21 2003 - 02:00:35 PST