Symantec has released patches to fix four high-impact vulnerabilities in several of its popular antivirus and firewall products for Windows. An attacker who successfully exploits the holes could render targeted systems inoperable or execute remote code with kernel-level privileges, the security software giant said in an advisory.
The weaknesses were found by eEye Digital Security of Aliso Viejo, Calif., and reported to Symantec April 19. Symantec released the fixes Wednesday.
"The fact that this vulnerability can be exploited with all ports filtered is cause for some concern, especially if Norton Personal Firewall is the only layer of protection a system has," said Aaron Schaub, a security analyst at Herndon, Va.-based TruSecure. "The fortunate aspect of the vulnerability is that considering the nature of Norton Personal Firewall, workstations and laptops are the most at risk in a corporate environment and primary infrastructure systems should be largely unaffected. While workstations will probably be protected by a perimeter security device, laptops are routinely exposed to unprotected networks as a result of business travel."
Customers are advised to access the patches through Symantec's LiveUpdate program and technical support channels. Those who use consumer versions of the affected products who regularly run a manual LiveUpdate should already be protected, the advisory said.
Vulnerable programs are the 2002-2004 versions of Norton Internet Security, Professional and Personal Firewall; Norton AntiSpam 2004; Client Firewall 5.01, 5.1.1 and Client Security 1.0, 1.1, 2.0 (SCF 7.1), said the advisory.
Symantec said in a statement that eEye found three instances where remote kernel-level access could potentially be gained. Additionally, they reported a denial of service (DoS) issue that requires a system reboot to regain control of the system. All issues occur within routines in the SYMDNS.SYS component. To date, the company has received no indication that the vulnerabilities have been exploited.
The first vulnerability is a stack-based buffer overflow in the processing of DNS requests and responses. If exploited, an attacker could execute remote code on the targeted system with kernel-level privileges and trigger the overflow.
"With the ability to freely execute code at the Ring 0 privilege level, there are literally no boundaries for an attacker," eEye said on its Web site. "It should also be noted that due to a separate design flaw in the firewall's handling of incoming packets, this attack can be successfully performed with all ports filtered and all intrusion rules set."
The second is a stack overflow in the processing of NetBIOS Name Service responses that can result in a memory overwrite.
"By sending a single specially-crafted NetBIOS Name Service (UDP port 137) packet to a vulnerable host, an attacker could cause an arbitrary memory location to be overwritten with data he or she controls, leading to the execution of attacker-supplied code with kernel privileges and the absolute compromise of the target," eEye said.
The third is a potential heap corruption caused by improper bounds checking in the processing of NetBIOS Name Service responses. If exploited, an attacker could execute arbitrary code on the targeted system with kernel-level privileges.
The fourth is a potential denial of service (DoS) condition caused by improper handling of DNS response packets. Maliciously configured DNS responses can cause the targeted system to halt, requiring a system reboot to clear the condition and regain system access.