Symantec Firewalls Vulnerable to Intrusion, DOS

Symantec has confirmed a flaw in its firewall software products for Windows that could enable remote access or denial of service by attackers.

The company has released updates to fix the security holes, discovered by eEye Digital Security. Secunia termed the flow extremely critical because of the large installed base for the affected Norton Internet Security and Norton Personal Firewall products and the potential for the flaw to be exploited by an auto-propagating worm.

Despite the ease of repair (Symantec users can simply run the products’ LiveUpdate auto-update feature), vendors expressed concern about the similarity to the mid-March revelation of a vulnerability in ISS’ Black Ice products, which was exploited barely a day later by the Witty worm. That incident raised alarms about “zero day exploits” - attacks published the same day a security hole becomes public, leaving no time for network administrators to repair vulnerable systems.

The Witty worm also illustrated the potential for security products to become entry points for the attacks they are designed to prevent. At least one large hosting company switched security products after damage from Witty knocked customers servers offline for days.

At the time, the Cooperative Association for Internet Data Analysis (CAIDA) warned that the Witty worm exposed the "spectacular failure" of the current approach to computer security via patching, saying its innovations could be reproduced to create "a vastly more damaging event." Given the wide use of Norton firewall products and the ease of repair, the Symantec holes provide an interesting test of the effectiveness of patch-driven security in today's threat environment.