Symantec, Norton need vital patches in next 24 hours

Almost the entire range of Symantec Corp. security software, from Norton Internet Security through to the Symantec Firewall require urgent updates, the company has warned, after a series of four extremely critical vulnerabilities were found by security company eEye Digital Security Inc.

Free IT resource TechNet: More ways to know it, share it, and keep it running. Sponsored by Microsoft Free IT resource Attend the SOA Executive Forum: Breaking SOA Bottlenecks SOAExecForum.com/may2007 Sponsored by InfoWorld

One of the holes remains open even with all ports filtered and intrusion rules set thanks to a separate design flaw, eEye has warned. This makes it an almost certain target for worm writers, one of which -- if history is to be believed -- may be put out on the Net within 24 hours.

Symantec was informed of the holes on April 19, and has provided patches for them Thursday. The patches should be installed as part of the Live Update feature in most packages but some will require the manual download and installation of patches, and those that have automatic updating switched off will need to run Live Update as soon as possible.

EEye explains in its advisories that the holes (all within the "symdns.sys" driver) allow system access, the opportunity to create a denial-of-service attack, and -- most serious -- an open door to a worm.

They are the following:

-- A boundary error when processing certain NBNS datagrams. Buffer overflow can be created with crafted NBNS response, allowing execution of code with kernel Ring 0 privileges. However, incoming NBNS traffic does need to be allowed -- which, fortunately, is not the default setting.

-- An error when processing certain DNS datagrams. Can be exploited to halt the system with a crafted DNS response.

-- Another NBNS datagram processing error. Crafted response allow for code execution and Ring 0 privileges. Again, needs NBNS incoming traffic to be allowed.

-- A boundary error with DNS datagrams. A resource record with an overlong CNAME field can cause a stack-based buffer overflow. Code execution kernel Ring 0 privileges. This can be pulled off even with all ports filtered and all intrusion rules set.

With the last vulnerability, eEye warns: "With the ability to freely execute code at the Ring 0 privilege level, there are literally no boundaries for an attacker. It should also be noted, that due to a separate design flaw in the firewalls handling of incoming packets, this attack can be successfully performed with all ports filtered, and all intrusion rules set."

It continues: "A separate design flaw allows this attack to succeed with the firewall running at it's most locked-down state. The firewall will happily accept any packet that has a source port of 53, regardless of port filtering. The fact that this vulnerability is exploitable over UDP adds another serious layer to an already critical flaw."

Security company Secunia has warned that the last time such a hole appeared -- in ISS' security software and how it handled ICQ traffic -- a worm, the Witty worm, appeared just a day after the exploit was made public. Patching therefore would appear to be extremely urgent.

Symantec has more detail on the flaws with links to patches on its Web site: http://securityresponse.symantec.com/avcenter/security/Content/2004.05.12.html.