There have been a slew of recent vulnerabilities discovered in the very security products that administrators and end users depend on to protect their systems. Security firms eEye Digital Security and NGSSoftware have reported discovering vulnerabilities in Norton Internet Security 2004, which can be exploited by attackers to compromise a system. Also affected are Norton Internet Security 2004 Professional and Norton Personal Firewall 2004. Vulnerabilities have also recently been discovered by eEye in all versions of the RealSecure and BlackICE firewalls from Internet Security Systems (ISS).

One problem reported to Symantec on March 9, 2004, is a remotely-exploitable flaw that can allow an attacker to execute a denial of service attack against any system where the Norton software is installed using the default settings.

The ISS vulnerability, reported to the vendor on March 8, 2004, is also remotely exploitable and allows an attacker to gain system access to the vulnerable machines.

Fortunately, eEye is highly ethical in the way it discloses the vulnerabilities it discovers, and does not publish any more than the bare minimum information about these threats until the vendor has ample time to address them.

NGSSoftware has also reported a problem in Norton’s Anti-Spam utility (included with Internet Security 2004 and Internet Security 2004 Professional) that can result in a stack overflow and allow the attacker to run arbitrary code on vulnerable machines.

Norton firewall products:

  • Norton Internet Security 2004
  • Norton Internet Security 2004 Professional
  • Norton Personal Firewall 2004

ISS firewall products:

  • All versions of ISS’s RealSecure
  • All versions of BlackICE

Risk level – Serious
These eEye reports appear to be pretty serious vulnerabilities, although I can’t be certain because extensive details weren’t immediately available.

NGSSoftware has released a few details, and these appear to be different threats from those alluded to by eEye but, because the eEye reports are preliminary, it is difficult to be certain.

Mitigating factors – Unknown
As I mentioned above, eEye is careful not to release any details until the vendors have had time to address the threats, and eEye itself doesn’t say anything about possible mitigating factors. With no details I couldn’t determine on my own if there are any useful mitigating factors at the time this report was released.

There are no mitigating factors for the vulnerabilities reported by NGSSoftware other than that they require the user to visit a malicious Web site or open an infected HTML e-mail.

None are reported available for the problems noted by eEye, but the two published by NGSSoftware are already patched by Symantec, and vulnerable systems will be repaired as soon as LiveUpdate is run.

Final word
I find this recent slew of serious holes in antivirus and firewall software extremely troublesome. I never really put much reliance on these things myself, but my clients depend on them very heavily and they, along with other businesses, tend to pay less attention to security simply because they feel that they have done all they need to do by installing and maintaining some of these big-name security utilities.

That’s reasonable enough; after all, the antivirus and firewall software available today is pretty effective if you configure it properly; however, I doubt many people realize that those security programs may themselves add new vulnerabilities to their systems.

Just to remind you, we’ve recently seen Symantec’s LiveUpdate block access to some Microsoft Office applications; there was a big hole in ZoneLab’s ZoneAlarm firewall; and has reported in the past that security firm ISS X-Force found multiple vulnerabilities in Check Point Firewall-1 and Check Point VPN-1 Server as well as SecuRemote and SecureClient VPN clients. Back in February eEye reported other problems in ISS software. Those problems affected RealSecure, Proventia, and BlackICE. The list goes on and on. To see some more examples, check my March 15 story.

Also watch for…

  • A report says AOL and some ISPs have filed suit against a number of spammers for violating practically every provision of the Can-Spam act. This will probably drag out in the courts for years, but at least we will eventually see whether Can-Spam has any real teeth. A recent study showed that only a tiny percentage of spammers are following even the most basic rules imposed by Can-Spam.
  • Another report has dared to mention the dirty little secret of Linux security in print, and I’m mentioning it here because I know the vast majority of my readers are professionals and won’t simply flame themselves into a frenzy in the discussion area. As bad as Microsoft service packs can be, they are infinitely easier to deploy across a hundred, or even a thousand, computers than are most major Linux fixes. If Linux/UNIX is ever to become a real mainstream alternative to Windows, vendors must make their security tools easier for less-skilled administrators to use.
  • Help Net Security has reported SOAP Server Array DoS vulnerabilities in products from a number of vendors, including Macromedia ColdFusion/MX 6.0 and 6.1, Macromedia ColdFusion/MX 6.0 and 6.1 J2EE (all editions), Macromedia JRun 4.0 (all editions), Sun Java System Application Server 7 Update 2 Upgrade, and Sun ONE Application Server.
  • Following up on my March 1, 2004 column about the recently leaked Microsoft source code, I rated the risk level as “unknown but probably very serious.” The company, understandably enough, said it was no big deal, but so did many other security “experts.” A recent article in eWEEK indicates that the disclosure really was a big deal and quotes a manager at iDefense as saying, “I know of vulnerabilities that have been discovered as a result of the code being exposed to the Internet. I suspect that additional new vulnerabilities will be discovered as time goes on.” There is a lot of underground noise about things found in the source code but no one is speaking publicly, since it is illegal to possess the source code.
  • IBM has made a patch available for a recent IBM DB2 database flaw.
  • Sun has issued a patch for a recent Solaris passwd vulnerability.
  • If you missed last week’s column and you use spam-blocking software, it’s very important for you to know ZDNet UK has published a report that the recent critical Microsoft patch for Office XP, MS04-009, disables some spam filters and makes any systems running Sunbelt Software’s iHateSpam and Cloudmark’s Spamnet unusable because they generate so many pop-up error messages.
  • There are also some new moderately-critical OpenSSL flaws which pose DoS threats. These have already been addressed by OpenSSL. Affected are Cisco, SuSE, Mandrake, Debian, Gentoo, Slackware, Red Hat, FreeBSD, and EnGarde. See the vendor sites for more information about which versions are affected.
  • Check out the eEye list of unpatched vulnerabilities. The list includes those vulnerabilities reported to any vendors by eEye. The company considers 30 days a reasonable time period to address a vulnerability, and Microsoft is, at the moment, the only company that has gone over that arbitrary time limit. In fact, some known Microsoft vulnerabilities have gone unpatched for as much as 130 days, but Apple, IBM, and ISS have recently come close to missing the 30-day limit (and may have done so by the time you read this). Microsoft appears to be the worst offender.