[NT] Various Vulnerabilities in Norton Anti-Virus 2002
From: support@securiteam.comDate: 03/13/02
- Previous message: support@securiteam.com: "[NEWS] Double Free Bug in zlib Compression Library"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Wed, 13 Mar 2002 09:07:15 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Various Vulnerabilities in Norton Anti-Virus 2002
------------------------------------------------------------------------
SUMMARY
Edvice recently tested NAV 2002's ability to detect viruses in incoming
e-mail messages. NAV 2002 includes an Email protection feature that scans
incoming and outgoing e-mails for viruses.
Edvice encountered 4 vulnerabilities in NAV 2002 email protection feature;
one of the vulnerabilities affects the Auto-Protect mechanism as well.
The vulnerabilities allow bypassing NAV 2002 email protection.
DETAILS
The following security vulnerabilities were found:
1) It is possible to bypass NAV 2002 Incoming Email Protection by
injecting a NULL character into the MIME message. If the NULL character
appears before the virus part, then NAV 2002 fails to detect the virus.
2) Embedding virus or malicious code in certain non-RFC compliant MIME
formats in some instances causes Norton AntiVirus 2002 to prematurely
terminate scanning, allowing infected e-mails to go undetected in the
initial incoming scanning process.
3) Two file types, .nch and .dbx, are excluded by default from Norton
AntiVirus 2002 scanning. An attacker can take a Word macro virus, rename
it with an .nch or a .dbx extension, and send it to a victim. If the
victim runs Norton AntiVirus 2002, these files would be excluded from
being scanned. Because Windows automatically recognizes Microsoft Office
files, double-clicking the file executes the infected document.
4) By providing Different file names in the Content-Type and
Content-Disposition fields it is possible to deceive Norton AntiVirus 2002
to exclude the file from being scanned. Oulook will determine the file's
name using the Content-Disposition filename field while Norton Anti-Virus
2002 will look at the Content-Type name field and exclude the file from
being scanned. E.g.
Content-Type: application/msword;
name=\"Virus.nch\"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename=\"Virus.exe\"
ADDITIONAL INFORMATION
The information has been provided by <mailto:support@edvicesecurity.com>
Edvice Security Services.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NEWS] Double Free Bug in zlib Compression Library"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
