Security hole found in Symantec update tool

[InfoSec News <isn () c4i org>]

http://news.cnet.com/news/0-1003-200-7488924.html?tag=mn_hd

By CNET News.com Staff 
October 11, 2001, 10:45 a.m. PT 
By Wendy McAuliffe 

A group of German hackers have exposed a vulnerability in Symantec's
software for updating antivirus software and other programs, which
could be used to download and run hostile code from an unauthorized
server.

Symantec, which makes antivirus and security software, has confirmed
that older versions of its virus definition software will allow
malicious programs such as Trojan horses and the remote penetration of
systems running version 1.4 of LiveUpdate to occur. The risk of
unauthorized intrusion is lessened on systems running the latest
version 1.6, but network degradation and outages could still be
possible.

German hacking group Phenoelit spotted the security hole and insists
that LiveUpdate could be forced to download illicit programs onto the
PC. "When LiveUpdate 1.4 is started (either by hand or by a scheduled
task), it looks for the server 'update.symantec.com'," states the
Phenoelit bulletin. "An attacker can use one of several attacks to
return false information to the querying host."

According to the Phenoelit alert, when the host running LiveUpdate
tries to connect to update.symantec.com via FTP, it is possible for an
attacker to redirect the request to a server of their choice.
LiveUpdate will then try to download the necessary files, which will
be compared with existing versions of Symantec software installed on
the host to see if an upgrade is needed. LiveUpdate will then
uncompress the files and perform the actions described in their
coding, which includes the execution of downloadable attachments.

LiveUpdate 1.6 follows the same update procedure but includes the
safeguard of "cryptographic signatures" of all update files. According
to Symantec, this makes it virtually impossible to use the latest
version as a penetration tool.

Misdirection attacks can also be controlled by Norton AntiVirus
products, which are designed to detect and block malicious programs.

While acknowledging the vulnerability, Symantec blamed much of the
problem on inherent flaws in the domain name system (DNS), the format
used to identify servers on the Internet. "The DNS attacks...have been
widely known to be an Internet infrastructure problem, not a Symantec
product problem, for some time and have been utilized in many
well-publicized DNS spoofing, redirection, cache poisoning attacks," a
Symantec statement said.

The statement also said that although LiveUpdate 1.6 could be hit by a
denial of service attack, "only a small percentage of a very large
user base could potentially be impacted to any degree, as the spoofing
or redirection would, by its very nature, be limited to a local
Internet area/region."

Symantec is encouraging users to upgrade to LiveUpdate 1.6 if they are
still relying on the four-year-old 1.4 version.

Staff writer Wendy McAuliffe reported from London.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.