-----Original Message-----
From: Paz Itzhaki-Weinberger
Sent: Tuesday, July 13, 2004 5:02 PM
To: bugtraq@securityfocus.com
Subject: Symantec NAV - DoS Attack & Information Security Ethics

Symantec NAV DoS Attack:
I discovered a new DoS attack against NAV, and managed to craft a specially made archive demonstrating this vulnerability.
Once this archive is being attached to an email and transmitted to victim/s using NAV, it causes a DoS attack by using a design weakness of NAV's mechanism automatically checking incoming and outgoing emails and it's auto-repairing mechanism.
Every user who uses Symantec Norton Anti-Virus (I tested the crafted archive on Norton Anti-Virus 2004, 2003 Professional and 2002) is vulnerable.
This DoS attack can cause the user PC CPU to be at 100% for many hours/days, and in some cases can also make his POP3 account and outlook totally unavailable or make mail servers protected by anti-virus softwares unavailable.
An average user will find this attack paralyzing, and most chances he will require professional assistance to overcome this situation, "release" his POP3 account (until the issue resolved he will not be able to get incoming email if he uses Outlook or Outlook Express etc., and to free his PC resources.
Relevant information was sent to resolve this issue. Among other things I'm doing, I hope I'll find time to start working on creating a mechanism to automatically detect such attacks and similar ones (I found some similar ones published before, a bit more primitive and less effective in terms of the length of the DoS, but some are also working), automatically fix the situation for the user, and attempt to trace or track down immediate attack source.
Information Security Ethics:
I was very disturbed to see many cases where security experts revealed their findings (including proof-of-concept & malicious code) to the public or in large forums / the media before contacting the vendor or CERT, many many days / weeks / months before a solution was created and made publicly available.
I believe this is unethical (and probably illegal) behavior, and it's surely irresponsible.
It's like finding out a new way to poison the water supply of a huge city and instead of contacting the authorities or the water supply company to prevent any possible way this method will actually be used, publish this information with exact instructions in the news, enabling lunatics & terrorists to poison the water supply (Or shut down the electricity, create huge traffic jams etc.) just for the sake of personal publication.
Such publications of proof-of-concept codes and ideas prior to the creation of a solution or even basic awareness of the vendor help causing computer damages on a large scale, help hurting internet infrastructure and help causing DoS or many other issues like assisting large scale computer fraud.
I find it to be really serious - exactly like disturbing any of the other critical elements in the fabric of our society like the water or power supply or transportation.
I'm sure that if someone published a way to turn the power off the city of New-York he would have been arrested and trialed immediately.
But when someone publishes information enabling other, malicious human beings to turn off many computers in New-York and worldwide, or make internet services unavailable to millions of customers (and perhaps cause more damage!), its alright and legal measures aren't taken.
For example, I discovered a flaw in the latest Microsoft patch (KB870669) the very same day it was released, and immediately contacted Microsoft and CERT via email and by phone on the matter, so they will fix the issue and release a fixed patch to protect their customers once they investigate it and analyze it including all the implications on their products and a lengthy QA process. I also sent them proof-of-concept code.
I didn't even think to publish this finding (and surely not the code!!!) globally - my code could have been manipulated and risk millions of computers!
Two days later - I see someone from Netherland published a code, using this weakness, enabling crafting of new attacks by malicious/criminal programmers.
This time it wasn't such a critical flaw and there are better examples and it wasn't used yet, but I find even this incident to be very serious.
I ask all of you who are security professionals - If you discover such flaws, please contact the "Authorities" first - the vendors, CERT etc., and allow them time (lots of time) to resolve it. Creating patches is a lengthy process, and good vendors invest alot in QA and making sure their releases are almost bug-free.
And a message to the vendors - please start enforcing these ethical issues and start taking legal actions against vulnerability publishers!
In many cases, just because someone wants to see his name in the newspaper, he is willing to risk millions of computers (and sometimes billions of $) and will publish damaging information worldwide, without contacting the vendor first or allowing him time to investigate the matter and resolve it.
I think we should, as a society, encourage taking legal actions against such unethical irresponsible people, causing them huge financial damage and causing them to spend all their time in endless litigation - to stop this phenomenon.
also, we should encourage communicating this vital information to vendors and vendors alone upon discovery, by offering significant cash rewards & credits on the website and company publications when a solution is created and released after vital information is provided.
Not many vendors do that well, only a few.
Many vendors also don't have a specific contact person to deal with such cases, and this is also something to be dealt with.
I'd appreciate comments and opinions about ethics and revealing information about flaws and vulnerabilities (especially proof of concept codes) before a solution was created and sometimes before a vendor is aware of the problem.
Have a wonderful day,

Paz Itzhaki-Weinberger
Security Content Manager & Analyst
Gteko Ltd.

"Quidquid agis, prudenter agas, et respice finem"
The information in this e-mail is confidential and proprietary to Gteko Ltd., for the use of the intended recipient only. Any review, retransmission, dissemination, printing or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this by error, please contact the sender by phone or return this email and delete the material from all of your computers. Thank you.
Copyright 2003-2004, Gteko Ltd., all rights reserved.