Symantec recommends users apply a hotfix it released Tuesday to address a high-risk vulnerability in its Gateway Security, Enterprise Firewall and VelociRaptor products. Attackers could use the flaw for DNS cache poisoning and to redirect users to Web sites that can nail their computers with spyware and other malcode.
"Affected Symantec security
The issue affects:
- Gateway Security 5300 Series 1.0
- Gateway Security 5400 Series 2.0
- Enterprise Firewall 7.0 for Windows and Solaris
- Enterprise Firewall 8.0 for Windows and Solaris
- VelociRaptor, Model 1100/1200/1300 version 1.5
DNS cache poisoning can happen when inaccurate DNS records are dropped into a DNS server's cache tables, overwriting a valid name server record with its own DNS server address. As Symantec noted, "Subsequent queries for a targeted site would then be redirected to the rogue DNS server, which would respond with its own addresses for those lookups, preventing users from accessing the legitimate site."
The Bethesda, Md.-based SANS Internet Storm Center (ISC) brought the problem to light in a March 4 handler's diary, which indicated users were being redirected to Web sites that would try to download spyware and adware modules to the user's browsers.
"Shortly after the abnormal activity was initially reported, the offending IP addresses were blocked by their ISP until the offending DNS servers' configuration was corrected," Symantec said in its advisory. Symantec also noted the ISC's assessment that "other non-Symantec product users" reported similar activity "so this malicious action appears not to have been limited to Symantec security gateway products."