December 28, 1999 KeyLabs Tests Verify E-mail Scanner Fix

Symantec Thwarts Norton AntiVirus POP Vulnerability by Bradley F. Shimmin THOUGH LATE FOR CHRISTMAS, Symantec came through for its users yesterday, patching a potential security hole within Norton AntiVirus 2000. Available through Norton AntiVirus 2000's LiveUpdate feature, the patch will better secure Norton AntiVirus 2000's real-time, e-mail scanning software, from outside attacks. First documented by BugNet reader, Timothy J. McNitt, and the folks at w00w00 Security Development earlier this month, the Norton AntiVirus 2000 bug left a TCP/IP port (port 110) open, making its host machine appear as a Post Office Protocol (POP) server to the outside world. Once aware of the open port, hackers could then use it to crash portions of AntiVirus 2000 and in some situations the host itself. Point a telnet client at the patched POP port, and it will gladly slam the door in your face. As tested by KeyLabs, the software patch does solve the security problem, but not by closing port 110. Rather, it simply tells the port to refuse all inbound connections. Security purists might argue that this solution still places users at risk, since a hacker scanning for open ports will see their machines readily. To hide a machine with open TCP/IP ports, users will have to request that their IT shop block all incoming port requests. Visibility aside, with the patch in place, when an attacker uses a program like telnet to send arbitrary data to port 110, the host simply returns a connection error. This prevents hackers from hitting the host machine with buffer overflow attacks, which can crash the POProxy program (the program that monitors port 110). The good news about Symantec's fix is that it won't prevent Norton AntiVirus 2000 from protecting users against e-mail viruses. Only the local machine can communicate through port 110. "[The patch] will restrict use of the port only to Norton AntiVirus," explained Marian Merritt, group product manager at Symantec. To patch Norton AntiVirus 2000, you've got to jump-start Symantec's LiveUpdate utility. The only catch is that to receive the patch, LiveUpdate must contact Symantec's server. Since it defaults to day 11 of every month, we suggest that you trigger LiveUpdate manually as follows: Open NAV 2000 by double clicking on the Norton AV icon on the toolbar. Click on "LiveUpdate" in the top left hand corner. On the LiveUpdate welcome screen, choose the connection method and click on next. LiveUpdate will connect to the NAV Internet site and check for an updated version. If there is an update, it will list the update and allow you to choose to download the update. Place a check mark in this box. Continue to follow the prompts and you should be good to go. Note: you can also get to LiveUpdate by going to "Start" | "Programs" | "Norton's AntiVirus" | "LiveUpdate - Norton AntiVirus". Others can still see that your machine houses an open POP port, but they won't be able to make any mischief.