Vulnerabilities in Symantec Products, Dabber Worm, Empty .zip File Attachments

Published: 2004-05-13
Last Updated: 2004-05-13 18:26:45 UTC
by Marcus Sachs (Version: 1)
0 comment(s)
Vulnerabilities in Symantec Products. eEye Digital Security recently discovered four vulnerability issues in the Symantec Client Firewall products for Windows. If properly exploited, an attacker could render the targeted system inoperable or execute remote code with kernel-level privileges on the targeted system. Details are available from Symantec at
http://securityresponse.symantec.com/avcenter/security/Content/2004.05.12.html


The eEye bulletins with complete details on the issues are at
http://www.eeye.com/html/Research/Advisories/AD20040512A.html

http://www.eeye.com/html/Research/Advisories/AD20040512B.html

http://www.eeye.com/html/Research/Advisories/AD20040512C.html

http://www.eeye.com/html/Research/Advisories/AD20040512D.html


At least one of these issues can be exploited by a single packet. Advisory AD20040512A states that, "By sending a single specially-crafted NetBIOS Name Service (UDP port 137) packet to a vulnerable host, an attacker could cause an arbitrary memory location to be overwritten with data he or she controls, leading to the execution of attacker-supplied code with kernel privileges and the absolute compromise of the target."


This puts the Internet community in the same position as we were prior to the release of the Witty worm several weeks ago. If you use any of the affected products on the list below you should immediately ensure that you have updated your software per the instructions on the Symantec link above. Affected systems include


Consumer:

Symantec Norton Internet Security and Professional 2002, 2003, 2004

Symantec Norton Personal Firewall 2002, 2003, 2004

Symantec Norton AntiSpam 2004


Corporate:

Symantec Client Firewall 5.01, 5.1.1

Symantec Client Security 1.0, 1.1, 2.0(SCF 7.1)



Dabber Worm. Joe at LURHQ notified us that they discovered a new worm exploiting a vulnerability in the FTP server component of the Sasser worm. According to their advisory, this worm will only infect users already infected by Sasser. They have tentatively named this worm "Dabber". Details are at
http://www.lurhq.com/dabber.html

Empty .zip File Attachments. From the mailbag today we heard about multiple cases where spam emails are being received containing the conventional .zip attachment and a graphical password in the text, but opening the attachment revealed an empty .zip archive. The best theory we have is that the sender of the spam is unable to create a properly constructed .zip file, and sends a small fragment with the .zip extension. Other theories are welcome.

Marcus H. Sachs

Handler on Duty
Keywords:
0 comment(s)

Comments


Diary Archives