Symantec NAV DoS
Attack:
-----------------------------------------
I discovered a new
DoS attack against NAV, and managed to craft a specially made archive
demonstrating this vulnerability.
Once
this archive is being attached to an email and transmitted to
victim/s using NAV, it causes a DoS attack by using a design weakness
of NAV's mechanism automatically checking incoming and outgoing emails
and it's auto-repairing mechanism.
Every user who
uses Symantec Norton Anti-Virus (I tested the crafted archive on Norton
Anti-Virus 2004, 2003 Professional and 2002) is vulnerable.
This DoS attack can
cause the user PC CPU to be at 100% for many hours/days, and in some cases can
also make his POP3 account and outlook totally unavailable or make mail servers
protected by anti-virus softwares unavailable.
An average user will
find this attack paralyzing, and most chances he will require professional
assistance to overcome this situation, "release" his POP3 account (until
the issue resolved he will not be able to get incoming email if he uses Outlook
or Outlook Express etc., and to free his PC resources.
Relevant information
was sent to resolve this issue. Among other things I'm doing, I
hope I'll find time to start working on creating a mechanism to
automatically detect such attacks and similar ones (I found some similar ones
published before, a bit more primitive and less effective in terms of the length
of the DoS, but some are also working), automatically fix the situation for the
user, and attempt to trace or track down immediate attack
source.
Information Security
Ethics:
----------------------------------------
I was very disturbed
to see many cases where security experts revealed their findings (including
proof-of-concept & malicious code) to the public or in large forums
/ the media before contacting the vendor or CERT, many many days /
weeks / months before a solution was created and made publicly
available.
I believe this is
unethical (and probably illegal) behavior, and it's surely
irresponsible.
It's like finding
out a new way to poison the water supply of a huge city and instead of
contacting the authorities or the water supply company to prevent any possible
way this method will actually be used, publish this information with exact
instructions in the news, enabling lunatics & terrorists to poison the water
supply (Or shut down the electricity, create huge traffic jams etc.) just for
the sake of personal publication.
Such publications of
proof-of-concept codes and ideas prior to the creation of a solution or even
basic awareness of the vendor help causing computer damages on a large scale,
help hurting internet infrastructure and help causing DoS or many
other issues like assisting large scale computer
fraud.
I find it to
be really serious - exactly like disturbing any of the other critical
elements in the fabric of our society like the water or power supply or
transportation.
I'm sure that if
someone published a way to turn the power off the city of New-York he would have
been arrested and trialed immediately.
But when someone
publishes information enabling other, malicious human beings to turn
off many computers in New-York and worldwide, or make internet services
unavailable to millions of customers (and perhaps cause more damage!), its
alright and legal measures aren't taken.
For example, I
discovered a flaw in the latest Microsoft patch (KB870669) the very same day it
was released, and immediately contacted Microsoft and CERT via email and by
phone on the matter, so they will fix the issue and release a fixed patch to
protect their customers once they investigate it and analyze it including all
the implications on their products and a lengthy QA process. I also sent them
proof-of-concept code.
I didn't even think
to publish this finding (and surely not the code!!!) globally - my code
could have been manipulated and risk millions of computers!
Two days later - I
see someone from Netherland published a code, using this weakness, enabling
crafting of new attacks by malicious/criminal programmers.
This time it wasn't
such a critical flaw and there are better examples and it wasn't used
yet, but I find even this incident to be very serious.
I ask all of you who
are security professionals - If you discover such flaws, please contact the
"Authorities" first - the vendors, CERT etc., and allow them time (lots of time)
to resolve it. Creating patches is a lengthy process, and good vendors invest
alot in QA and making sure their releases are almost
bug-free.
And a message
to the vendors - please start enforcing these ethical issues and start
taking legal actions against vulnerability publishers!
In many cases, just
because someone wants to see his name in the newspaper, he is willing to risk
millions of computers (and sometimes billions of $) and will publish damaging
information worldwide, without contacting the vendor first or allowing him time
to investigate the matter and resolve it.
I think we should,
as a society, encourage taking legal actions against such unethical
irresponsible people, causing them huge financial damage and causing them to
spend all their time in endless litigation - to stop this
phenomenon.
also, we
should encourage communicating this vital information to vendors and
vendors alone upon discovery, by offering significant cash rewards &
credits on the website and company publications when a solution is created and
released after vital information is provided.
Not many vendors do
that well, only a few.
Many vendors also
don't have a specific contact person to deal with such cases, and this is also
something to be dealt with.
I'd appreciate
comments and opinions about ethics and revealing information about flaws and
vulnerabilities (especially proof of concept codes) before a solution was
created and sometimes before a vendor is aware of the
problem.
Have a wonderful
day,
------------------------------------------------------------------------------
Paz
Itzhaki-Weinberger
Security Content Manager &
Analyst
Gteko Ltd.
"Quidquid agis, prudenter agas, et respice
finem"
------------------------------------------------------------------------------
The information in this e-mail is confidential
and proprietary to Gteko Ltd., for the use of the intended recipient only. Any
review, retransmission, dissemination, printing or other use of, or taking of
any action in reliance upon, this information by persons or entities other than
the intended recipient is prohibited. If you received this by error, please
contact the sender by phone or return this email and delete the material from
all of your computers. Thank you.
Copyright 2003-2004, Gteko Ltd., all rights
reserved.