• United States

Symantec firewall flaw reported

May 17, 20046 mins

* Patches from Symantec, Trustix, Slackware, others * Red Hat closes out support for Red Hat Linux 9 * Redmond enlists security vendors to automate policy compliance, and other interesting reading

Strange request of the week: A colleague of mine is writing an article for our annual You Issue about network managers that collect antiques in their spare time. If you fit the bill and are willing to be interviewed about your hobby, e-mail Brett Cough at

Today’s bug patches and security alerts:

ISS reports Symantec firewall flaw

ISS is reporting that vulnerabilities have been found in the DNS and NBNS (NetBIOS Name Service) protocol processing functions used by Symantec firewall products. An attacker could exploit the flaws to cause a buffer overflow and potentially gain kernel-level access on the compromised system. For more, go to:

Official response from Symantec:

ISS credits eEye with finding the flaws:

Symantec Multiple Firewall Remote DNS KERNEL Overflow

Symantec Multiple Firewall NBNS Response Processing Stack Overflow

Symantec Multiple Firewall DNS Response Denial-of-Service

Symantec Multiple Firewall NBNS Response Remote Heap Corruption


Critical 802.11 wireless flaw identified

A serious wireless network technology flaw that could lead to the breakdown of some critical infrastructures in just 5 seconds has been identified by Queensland University of Technology’s (QUT) Information Security Research Centre, a finding that is likely to have worldwide ramifications. Computerworld, 05/13/04.


Slackware, Trustix patch Apache

A couple of vulnerabilities have been found in the popular Apache Web server code. One could be used in a denial-of-service attack against the affected machine. Another could be used to send shell escape commands via Apache’s errorlog. For more, go to:




Red Hat closes out support for Red Hat Linux 9

As of April 30, Red Hat is no longer supporting its Red Hat Linux 9 (or previous) operating system. It released a flurry of updates on the last day of support:

Utempter symlink vulnerability:

Libpng out-of-bounds error:

Patch for OpenOffice’s neon:

Several flaws in Midnight Commander (mc):

Four vulnerabilities in LHA:

Potential arbitrary code execution in X-Chat:

DoS flaw in httpd’s mod_ssl package:


Trustix patches kernel

An integer overflow in the SCTP code found in Trustix’s kernel could be exploited by a local user to gain root access. For more, go to:


SuSE updates Midnight Commander (mc):

A number of vulnerabilities have been found in the file manager system Midnight Commander (mc). The flaws could be exploited by a local user to gain the privileges of the user running mc. For more, go to:


Today’s roundup of virus alerts:

Wallon worm uses Yahoo, Microsoft to spread

Anti-virus software companies issued warnings and software updates on Tuesday and Wednesday for a new worm, Wallon, that uses deceptive Web links to to trick users into downloading malicious programs. IDG News Service, 05/13/04.

New worm targets Sasser code flaw

A new Internet worm is spreading by exploiting a flaw in the Sasser worm, according to an alert issued Thursday. The new worm, tentatively named Dabber, takes advantage of a vulnerability in an FTP server component in the Sasser worm and may have infected thousands of computers infected with Sasser. IDG News Service, 05/13/04.

W32/Agobot-ZH — Another Agobot variant that spreads via network shares protected by weak passwords. The virus provides backdoor access to the infected machine via IRC and terminates certain anti-virus applications. (Sophos)

W32/Agobot-JI — A multi-purpose Agobot variant that spreads via weakly protected network shares. In addition to being a backdoor access point and disabling security applications and access to security Web sites, the virus can also sniff certain network traffic and be used to launch denial-of-service attacks against remote sites. (Sophos)

W32/Sdbot-IK –Like some of the Agobot worms, this Sdbot variant spreads via weakly protected network shares, installing itself in the Windows System directory with the names wnetmgr.exe and cool.exe. This virus allows backdoor access via IRC, terminates certain security applications and attempts to redirect browser requests for security-related Web sites. (Sophos)

Troj/StartPa-AE — A virus that changes various Internet Explorer attributes each time the infected machine is started. (Sophos)

W32/Spybot-TA — Like the name implies, this virus can be used as a keylogger and a backdoor access channel via IRC. It also disables certain security-related applications running on the infected machine. It seems to spread via Kazaa and other filesharing networks. (Sophos)

Troj/Agent-A — Here’s what Sophos says about this virus: “Troj/Agent-A is a BMP file that downloads an executable to C:sys.exe.” (Sophos)

W32/Sober-G — A new variant of the Sober mass mailing worm. It uses harvested e-mail address and random subject and infected file names to spread. Most infected files though end in “.zip”. (Sophos)


From the interesting reading department:

Redmond enlists security vendors to automate policy compliance

Microsoft is working with anti-virus vendors to ensure that in the future its software will be able to verify a user’s desktop is secure and updated anti-virus signatures are in place before granting access to corporate resources. Network World, 05/17/04.

Technology Insider: Web application security

In this Technology Insider, we’ll show you how to protect your Web apps from tricky maneuvers like SQL injection, cross-scripting, cookie poisoning and authentication hijacking. Network World, 05/17/04.

Are you 133t?

One-time hacker slang now ridiculed by all except those who use it. Network World, 05/17/04.

Bluetooth’s sprawl heightens security concerns

Michael Ciarochi used to see Bluetooth as just a convenient way to hook up a keyboard to a laptop or PDA at HomeBanc Mortgage, where he’s senior WAN/security engineer. That was until he got a shipment of new laptops as part of a planned technology upgrade. Much to his surprise, each system came with a built-in Bluetooth radio, creating what he says amounted to a hidden window into any sensitive or confidential data that might be stored on the laptops’ hard drives.  Network World, 05/17/04.

Start-up reveals NIC-styled encryption

Start-up Seclarity last week unveiled a security-based network interface card called SiNic that customers can use for peer-to-peer encryption and firewall protection for desktops and servers. Network World, 05/17/04.

Further Sasser arrests but no charges in Germany

Police in Lower Saxony, Germany, arrested five young men on Tuesday in connection with the Sasser Internet worm but all have been released without charge, a police spokesman said Thursday. IDG News Service, 05/13/04.