Various Vulnerabilities in Norton Anti-Virus 2002

From: Edvice Security Services (support@edvicesecurity.com)
Date: 03/07/02


From: "Edvice Security Services" <support@edvicesecurity.com>
To: <bugtraq@securityfocus.com>
Date: Thu, 7 Mar 2002 19:16:01 +0200

Various Vulnerabilities in Norton Anti-Virus 2002
++++++++++++++++++++++++++++++++++++
 
Scope
----------
Edvice recently tested NAV 2002's ability to detect viruses in incoming
e-mail messages. NAV 2002 includes an Email protection feature that
scans incoming and outgoing e-mails for viruses.
 
The Findings
-----------------
We encountered 4 vulnerabilities in NAV 2002 email protection feature.
One of the vulnerabilities affects the Auto-Protect mechanism as well.
The vulnerabilities allow bypassing NAV 2002 email protection.
 
Details:
----------
1) It is possible to bypass NAV 2002 Incoming Email Protection by
injecting a NULL character into the MIME message. If the NULL character
appears before the virus part, then NAV 2002 fails to detect the virus.
 
2) Embedding virus or malicious code in certain non-RFC compliant MIME
formats in some instances causes Norton AntiVirus 2002 to prematurely
terminate scanning, allowing infected e-mails to go undetected in the
initial incoming scanning process.
 
3) Two file types, .nch and .dbx, are excluded by default from Norton
AntiVirus 2002 scanning. An attacker can take a Word macro virus, rename
it with an .nch or a .dbx extension, and send it to a victim. If the
victim runs Norton AntiVirus 2002, these files would be excluded from
being scanned. Because Windows automatically recognizes Microsoft
Office files, double-clicking the file executes the infected document.
 
4) By providing Different file names in the Content-Type and
Content-Disposition fields it is possible to deceive Norton AntiVirus
2002 to exclude the file from being scanned. Oulook will determine the
file's name using the Content-Disposition filename field while Norton
Anti-Virus 2002 will look at the Content-Type name field and exclude the
file from being scanned. E.g.
 
Content-Type: application/msword;
        name=\"Virus.nch\"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
        filename=\"Virus.exe\"
 
Vendor Status
---------------------
Symantec's response can be found at:
http://securityresponse.symantec.com/

Edvice Security Services
support@edvicesecurity.com
http://www.edvicesecurity.com



Relevant Pages

  • Re: Norton 2002 and XP?
    ... I'd give Norton a miss altogether... ... It is better to use a current version antivirus (I usually say not ... > the vulnerabilities were quite serious in some cases. ... My personal feeling is that NAV 2003 was the last good ...
    (microsoft.public.windowsxp.basics)
  • Re: Need advise about Anti-virus and firewalls.
    ... >>Yep, Norton is only for computers with large amounts of RAM, I suggest only ... the Symantec product stopped more threat vectors. ... improvements since I tested, however so has NAV. ... Performance hit on game play can be mitigated under NAV by tweaking ...
    (alt.computer.security)
  • Re: Norton Plug-in (+Norton)
    ... When I bother to look at what NAV and also ZoneAlarmPro have caught, ... Word MVP FAQ site: http://word.mvps.org ... Clear the check box for "Enable Office Plug-in." ... Do I activate the Norton software on my laptop when it ...
    (microsoft.public.word.newusers)
  • Re: strange problem
    ... I was sort of teasing. ... I have had various Norton (Symantec) versions and products (NAV, ...
    (microsoft.public.windowsxp.general)
  • Re: Worst AV Experiences
    ... In the past my dislike of NAV (since it became Symantec NAV, ... > runs is a testament to either Norton AV or some exceptionally good luck ... > about 1-3 minutes after boot, except in safe mode). ... >> Steve Foster [SBS MVP] ...
    (microsoft.public.backoffice.smallbiz2000)