[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 133/04 - Two NGSSoftware Insight Security Research Advisories



 
-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 133/04 dated 23.03.04  Time: 11:25  
  UNIRAS is part of NISCC (National Infrastructure Security Co-ordination Centre)
- ---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------

Title
=====

Two NGSSoftware Insight Security Research Advisories



Detail
====== 



   ESB-2004.0228 -- Two NGSSoftware Insight Security Research Advisories
   ActiveX Vulnerabilities in Norton (Symantec) Client Security Products
                               23 March 2004


Product:                Norton Internet Security
                        Norton AntiSpam
Publisher:              NGSSoftware
Operating System:       Windows XP
Impact:                 Execute Arbitrary Code/Commands
Access Required:        Remote

Comment: NGSSoftware Advisory Numbers:
                        #NISR19042004b
                        #NISR19042004a

- - --------------------------BEGIN INCLUDED TEXT--------------------

NGSSoftware Insight Security Research Advisory

Name: Norton Internet Security Remote Command Execution
Systems Affected: XP (not confirmed on 2000); NIS & NIS Pro 2004, not confirmed on previous versions.
Severity: High
Vendor URL: http://www.symantec.com
Author: Mark Litchfield [ mark@xxxxxxxxxxxxxxx ]
Date Vendor Notified:    4th March 2004
Date of Public Advisory: 19th March 2004
Advisory number: #NISR19042004b
Advisory URL: http://www.ngssoftware.com/advisories/nisrce.txt

Description
***********

Symantec's Norton Internet Security 2004 Professional protects you and your business from online threats. It eliminates viruses automatically, blocks hackers, safeguards your personal information, fights spam, increases online productivity, recovers lost or damaged files, and thoroughly deletes confidential data you no longer need.


Details
*******

Installed with Norton Internet Security and Professional is an ActiveX component that is marked safe for scripting, namely WrapNISUM Class (c:\program files\Norton Internet Security Professional\WrapUM.dll). Using the LaunchURL method an attacker has the ability to force the browser to run arbitrary executables on the target.  In a real world attack, this would more than likely take the form of a UNC path.  It's important to note here that on those windows operating systems that support the WEBDAV redirector file system if the UNC path cannot be reached over TCP port 139 or 445 it will switch to TCP Port 80 (http).  Needless to say this aspect will allow attacks to go through corporate firewalls.  The attack can be achieved either by encouraging the 'victim' to visit a malicious web page or placing a script within the content of an (html) email.


Fix Information
***************

Shipped with all Symantec's products is the LiveUpdate feature. Open Internet Security / Professional and select the LiveUpdate feature which will retrieve the lastest patch.  It's worth mentioning Symantec's quick response to this issue in ensuring their clients remain protected.

About NGSSoftware
*****************
NGSSoftware design, research and develop intelligent, advanced application security assessment scanners. Based in the United Kingdom, NGSSoftware have offices in the South of London and the East Coast of Scotland. NGSSoftware's sister company NGSConsulting, offers best of breed security consulting services, specialising in application, host and network security assessments.

http://www.ngssoftware.com/

Telephone +44 208 401 0070
Fax +44 208 401 0076

enquiries@xxxxxxxxxxxxxxx


NGSSoftware Insight Security Research Advisory

Name: Norton AntiSpam Remote Buffer Overrun
Systems Affected: Windows XP (not confirmed on 2000)
Severity: High
Vendor URL: http://www.symantec.com
Author: Mark Litchfield [ mark@xxxxxxxxxxxxxxx ]
Date Vendor Notified:    4th March 2004
Date of Public Advisory: 19th March 2004
Advisory number: #NISR19042004a
Advisory URL: http://www.ngssoftware.com/advisories/antispam.txt

Description
***********

Symantec's Norton AntiSpamT 2004 filters unwanted email out of your inbox. Working with any POP3 email program, it filters incoming mail on multiple levels, detecting and flagging unsolicited messages while promptly delivering valid mail. To make your online time more enjoyable, Norton AntiSpam also blocks intrusive pop-up and banner ads. It is worth mentioning here, that Norton AntiSpamT is also packaged within Norton Internet Security 2004 and Norton Internet Security 2004 Professional.

Details
*******

Installed with Norton AntiSpam is an ActiveX component that is marked safe for scripting, namely SymSpamHelper Class (c:\program files\common files\symantec shared\antispam\symspam.dll). Using the method LaunchCustomRuleWizard with an overly long parameter, an attacker can cause a stack based overflow allowing the ability to remotley run arbitrary code on the target.  This can be achieved either by encouraging the 'victim' to visit a malicious web page or placing a script within the content of an (html) email.


Fix Information
***************

Shipped with all Symantecs products is the LiveUpdate feature. Open Norton AntiSpam or Norton Internet Security / Professional and select the LiveUpdate feature which will retrieve the lastest patch.  Also worth mentioning is Symantec's quick response to this issue in ensuring their clients remain protected.

About NGSSoftware
*****************
NGSSoftware design, research and develop intelligent, advanced application security assessment scanners. Based in the United Kingdom, NGSSoftware have offices in the South of London and the East Coast of Scotland. NGSSoftware's sister company NGSConsulting, offers best of breed security consulting services, specialising in application, host and network security assessments.

http://www.ngssoftware.com/

Telephone +44 208 401 0070
Fax +44 208 401 0076

enquiries@xxxxxxxxxxxxxxx


- ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via 
EMail to: uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 20 7821 1330 Ext 4511
Fax: +44 (0) 20 7821 1686

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 20 7821 1330 and follow the prompts

- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of NGSSoftware for the information 
contained in this Briefing. 
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQCVAwUBQGAfFYpao72zK539AQHBfQQAli5WbVvSk+q/Wgn+8x64VDMq3/jbBig/
7I4li0PXnk1uiZ7a2nLkaJtL6YIJcow4ymAhJPEIxFR0ua/KxVUGPiKzUXG1VJff
ZZFFVHr1vGm+ifskqHBDb7v1OwJ7ShzyBKGKOPgdZiRvuBYsPhwKsuLw2H0TD2MI
VuhQevtor4U=
=4d2H
-----END PGP SIGNATURE-----