Norton AntiVirus 2000 May Open a Security Hole on Users' Computers.
Timothy J. McNitt
November.
Norton AntiVirus 2000 (version 6.0) has a security flaw. NAV 2K has a
feature that can be set up to automatically scan incoming email
attachments for viruses. It does so by installing a program called
POProxy.exe. The new email attachment scanning feature is a good idea,
but it needs to be fixed.
Specifically, a port scan of a system with POProxy running will show
that the POP3 port 110 is wide open. This is an invitation to any
would-be cracker to explore the open port and perhaps the rest of the
user's system looking for vulnerabilities.
With a good proxy server running, a port scan may show that a port
exists, but that the port is closed. POProxy is a poorly designed
proxy server because it advertises an open port unnecessarily.
Port scans are a fact of life on the Internet. One of the basic
defenses is not to advertise any open ports. This is especially
important for users with cable or DSL connections and static IP
addresses.
A specific vulnerability in POProxy was reported on 20 December 1999,
on the w00w00 Security Development web site:
http://www.w00w00.org/advisories/nortonav.html
A possible exploit of the vulnerability was further explored on the
Packet Storm Internet Security Solutions web site:
http://packetstorm.securify.com/9912-exploits/norton.2000.txt
I informed Symantec of the potential for security issues with POProxy
on 13 October 1999. Symantec acknowledged the existence of the
problem, but they have not yet released a fix for it, nor have they
alerted registered Norton AntiVirus users of the problem. I contacted
Symantec again on 10 November 1999 and they indicated that they are
still working on a solution to the problem.
The history of posts on the Symantec support forums has been
interesting. Sometimes the Symantec representatives have told users
that they are aware of the security problem with POProxy and are
working on a solution. In other cases, the Symantec representatives
have told users that the open port poses no problem and Symantec has
no plans to do anything about it.
Until Symantec provides a solution to this issue, I recommend that
users of Norton AntiVirus 2000 (v. 6) take one of the following
actions:
1. Disable the new email protection feature and scan all incoming
email attachments manually. Disabling the email protection feature
will not affect the rest of the functionality of Norton AntiVirus
2000.
2. If disabling the email protection feature is not an acceptable
option, you may be able to close port 110 with a firewall. It has been
reported that BlackICE Defender is capable of closing the port.
AtGuard (and its soon to be released incarnation in Norton Internet
Security 2000) is NOT capable of closing the port. I have no
information on whether other firewall products are able to close the
port opened by POProxy.
Tim McNitt
Liberty 4All
Timothy J. McNitt wrote in message ...
>This is an update of a post I made in this newsgroup in October and
>November.
>
>Norton AntiVirus 2000 (version 6.0) has a security flaw. NAV 2K has a
>feature that can be set up to automatically scan incoming email
>attachments for viruses. It does so by installing a program called
>POProxy.exe. The new email attachment scanning feature is a good idea,
>but it needs to be fixed.
>
>I informed Symantec of the potential for security issues with POProxy
>on 13 October 1999. Symantec acknowledged the existence of the
>problem, but they have not yet released a fix for it, nor have they
>alerted registered Norton AntiVirus users of the problem. I contacted
>Symantec again on 10 November 1999 and they indicated that they are
>still working on a solution to the problem.
>
>The history of posts on the Symantec support forums has been
>interesting. Sometimes the Symantec representatives have told users
>that they are aware of the security problem with POProxy and are
>working on a solution. In other cases, the Symantec representatives
>have told users that the open port poses no problem and Symantec has
>no plans to do anything about it.
>
< snip >
Thanks for your informative post. It doesn't surprise me that Symantec does
not advertise this flaw publicly to users/potential users. Issues with other
Norton products get the same treatment. Generating revenue is priority #1.
Incurring cost to rework their defects is not high on their list. Therefore,
keeping a lid on it keeps the sales coming in.
Users like yourself provide real consumer protection.
Peace
Digit
download the Port Blocker. Then configure it to block port 110.
-==-==-==-==-==-==-==-==-==-==-==-==-==-==-
http://members.xoom.com/avdisk
Get AVDisk5 (F-Prot) and AVPDisk1 (AVPLite)
-==-==-==-==-==-==-==-==-==-==-==-==-==-==-
hac
>
> Norton is finally responding to the security hole in NAV 2000:
> http://service1.symantec.com/SUPPORT/nav.nsf/docid/1999122317000206&src=w
>
> Tim
>
That has to be one the most grudging admissions I've ever read.
Symantec's handling of this inspires NO confidence in their
trustworthiness.
--
Howard Christeller Irvine, CA hchris...@home.com
Timothy J. McNitt
in Norton AntiVirus 2000. After installing the patch, the POP port 110
will still appear open to outside connections. The patch has made it
possible for the AtGuard firewall (and its new incarnation in Norton
Internet Security 2000) to close the port. AtGuard was previously
unable to close the port opened by NAV 2K.
Symantec needs to go back to the drawing board and try to design a
patch that will actually fix the bug in NAV 2K.
Tim
Ilya Kuryakin
Hash: SHA1
Would this have anything to do with the rumours I am hearing about
ATGuard and Symantec product in general having a "call home" feature
on start up to report to Symantec information such as "am I legal"
etc
Timothy J. McNitt <mcn...@DeleteThisPart-acies.com> wrote in message
news:v65i6s45shnthvgr8...@4ax.com...
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.2
iQA/AwUBOGkZ5JkouJ340C4+EQJCLwCgys6tPuW6GVd6NW4fE9PTSX8si+QAoKlV
UtOLWZaMafA74hBlYmPusBrM
=IIwS
-----END PGP SIGNATURE-----
IPv6
You still have to disable it inside of Nav2000.
IPv6
besides that, I would be a little concerned. But, I trust them.
Just my worthless nickle in the wishing well...
"Ilya Kuryakin" <kury...@uncle.gov> wrote in message news:7S8a4.8213$vi5.2...@nnrp3.clara.net...
| -----BEGIN PGP SIGNED MESSAGE-----
| Hash: SHA1
|
| Would this have anything to do with the rumours I am hearing about
| ATGuard and Symantec product in general having a "call home" feature
| on start up to report to Symantec information such as "am I legal"
| etc
|
|
Liberty 4All
IPv6 wrote in message ...
>Confirmed,
>
> You still have to disable it inside of Nav2000.
>
>
news:v65i6s45shnthvgr8...@4ax.com...
>| I spoke too soon. The patch issued by Symantec has NOT solved the bug
>| in Norton AntiVirus 2000. After installing the patch, the POP port 110
>| will still appear open to outside connections. The patch has made it
>| possible for the AtGuard firewall (and its new incarnation in Norton
>| Internet Security 2000) to close the port. AtGuard was previously
>| unable to close the port opened by NAV 2K.
>|
>| Symantec needs to go back to the drawing board and try to design a
>| patch that will actually fix the bug in NAV 2K.
>|
>| Tim
>|
>
was told that although the Port110 is "open", it can't be accessed by
unauthorized probes. Yeah. At first, they denied the Port will show open
when probed, until I gave them the ShieldsUp URL and asked them to test it
themselves. It's the lying and denying that get to me.
Peace
Kulvinder Singh Matharu
<liber...@mindspring.com> wrote:
[snip]
>When I brought this to the attention of NAV support earlier this morning, I
>was told that although the Port110 is "open", it can't be accessed by
>unauthorized probes. Yeah. At first, they denied the Port will show open
>when probed, until I gave them the ShieldsUp URL and asked them to test it
>themselves. It's the lying and denying that get to me.
What's interesting is that before I got the Norton update the
ShieldUp! site didn't detect port 110...it said I was in stealth
mode. I did have BlackICE Defender installed so it seems that it was
effectively hidden. The moral, I guess, is that you need to have
effective security built into your systems with a real firewall used
in conjunction with an intruder detection and protection system.
--
Kulvinder Singh Matharu
E-mail : ksmatharu # ieee . org [without the spaces and where #=@]
Website: http://www.matharu.demon.co.uk
(note : e-mail header address deliberately mangled)
Timothy J. McNitt
will now terminate any connection attempts from outside. The buffer
overflow problem appears to be solved. A port scan will still show the
port as "open". That will continue to annoy computer owners who like
to keep their systems "stealth", so that their systems do not appear
to exist when port scanned. Computer users with that concern will
probably have firewalls installed on their systems. Everyone else will
probably be unaware of any unwanted attention paid to their systems
because of what appears to be an open POP port. That is, unless
another exploit is found for the port opened by NAV 2K. Symantec's
patch is imperfect, but it is an improvement.
Tim
George Butch
the computer a tool to get other work done. I don't know what an "open port
110" means. I seldom play with the inner workings of my machine. I don't
repair my own car, either. I'm an intelligent individual, but my interests
and expertise are elsewhere.
So I spend a hundred bucks on Norton System Works 2000 in the hopes that it
will keep me out of trouble by watching out for things that I don't pretend
to understand. The name Norton on the package is what sealed the decision
for me.
I've had a number of performance related problems since installing the
package, and now it appears it may have created a security hole in it's
attempt to guard my system from intrusion. I'm having some seconds thoughts
about my decision.
George Butch
Plantation, FL...
Pierre Vandevenne
>Reading all of this is distressing to someone such as myself, who considers
>the computer a tool to get other work done. I don't know what an "open port
>110" means.
Oh, that is quite easy. TCP/IP connections are full of metaphors. A port is,
just as it is in real life, a point of entry, in this case, a point of entry
to your system. Services offered on TCP/IP networks go through those "ports".
For example, browsing the web uses the HTTP protocol on port 80. To make
things simpler, some ports are said to be standard. While nothing prevents you
from running a web sever on port 79 or 81 for example, the convention is that
it is run on 80 (or 8080 in some cases). Secure servers may run on 81 and 8081
etc... SMTP, the mail transfer protocol uses port 25, POP, the Post Office
Protocol (POP) uses port 110. NAV places a proxy there, that intercepts the
traffic and scans it.
>I seldom play with the inner workings of my machine. I don't
>repair my own car, either. I'm an intelligent individual, but my interests
>and expertise are elsewhere.
Yes, I undertstand fully.
>So I spend a hundred bucks on Norton System Works 2000 in the hopes that it
>will keep me out of trouble by watching out for things that I don't pretend
>to understand. The name Norton on the package is what sealed the decision
>for me.
>
>I've had a number of performance related problems since installing the
>package, and now it appears it may have created a security hole in it's
>attempt to guard my system from intrusion. I'm having some seconds thoughts
>about my decision.
I am not really going to argue with that, especially since I am linked to a
company that sells and support a direct competitor :-) but the problem is a
bit bigger than it seems.
The service that Norton runs on port 110 is vulnerable to some kind of attack
true. You shouldn't have to worry about it, true as well. But you should be
aware that security holes are virtually everywhere and that there are probably
( certainly if you are not using some specific defense such as AtGuard,
Conseal Firewall9 or BlackIce) quite a few other holes open on your systems.
That leaves you with a few choices
- ignore them and hope it will go fine ( generally it does, there are an awful
lot of attempted hacks, but not so many successful ones unless you collaborate
unwillingly by running a backdoor )
- learn about them and close them - a good analogy here would be that while
you don't want to learn about combustion engines and double overhead
camshafts, you still know that you shouldn't leave your car open, or valuables
inside, or that you should have a basic understanding (even if inconscious) of
Newtonian physics lest you want to slide off the road at the first curve.
- ignore them and buy (find a free) protection system.
But basically, we agree, security holes are bad and should be avoided as much
as possible. Side effects, however, are a sad fact of life.
Pierre
---
Pierre Vandevenne, MD
www.datarescue.com, home of the IDA Pro Disassembler
Version 4.01 available
Arthur Hagen
>
> Norton is finally responding to the security hole in NAV 2000:
> http://service1.symantec.com/SUPPORT/nav.nsf/docid/1999122317000206&src=w
It's still reported as open from the outside after applying the latest
LiveUpdate. Even with AtGuard 3.22p11 running and blocking port 110
from the outside (and allowing it from localhost only), port 110 WILL
answer requests from the outside (dropping the connection immediately,
but it WILL answer and tell the world the port is open).
So no, it's definitely not fixed.
Regards,
--
*Art
Arthur Hagen
In particular, Norton's poproxy prevents AtGuard / Norton Internet
Security from logging connection attempts to port 110 from the outside,
since the poproxy task will intercept, accept and drop the connection
before it even gets to the firewall. Bad.
--
*Art
Timothy J. McNitt
wrote:
>In particular, Norton's poproxy prevents AtGuard / Norton Internet
>Security from logging connection attempts to port 110 from the outside,
>since the poproxy task will intercept, accept and drop the connection
>before it even gets to the firewall. Bad.
Thanks for pointing that out, Art. I've given up on NAV 2K's email
scanning feature. It isn't really necessary anyway. As long as
Auto-protect is set to scan all file types, it should catch anything
the email scanner would. I still scan any suspect files manually out
of habit.
I suspect Symantec added the email scanning feature to NAV 2K just so
they could include it in their marketing hype. (The other guys have an
email scanner, we've got to have one too!) Symantec's developers
obviously did not take it seriously, or they would have engineered it
better.
I've been bugging Symantec about the security issues in POProxy for
three months. If anyone else wants to take up the lance and tilt at
this windmill, be my guest.
I'm currently testing replacements for all of the Symantec products on
my systems and those of my clients. Symantec only grudgingly dealt
with the security issue in POProxy after it became a media event. I
would prefer to purchase software from a company that fixes bugs when
they are first pointed out, rather than one that considers a security
bug to be a problem only when it receives media attention.
Tim
sami...@bix.com
that any PC user can competently utilizie the technology without knowing
any more about it than needs to be learned to follow the setup script on a
shrink-wrapped box. The industry pushes the commodity product metaphor,
but it ain't necessarily so! Anyway, enough soapbox stuff. To your
practical advice, I'd only add a recommendation to visit the grc.com web
site and run the port tests - they give meaningful analysis and
recommendations in something resembling ordinary English.
On Thu, 30 Dec 1999 16:54:24 GMT Pierre Vandevenne of DataRescue wrote this
re Re: Norton AntiVirus 2000 May Open a Security Hole on Users' Computers.:
>- ignore them and hope it will go fine ( generally it does, there are an
>awful
>lot of attempted hacks, but not so many successful ones unless you
>collaborate
>unwillingly by running a backdoor )
>
>- learn about them and close them - a good analogy here would be that while
>
>you don't want to learn about combustion engines and double overhead
>camshafts, you still know that you shouldn't leave your car open, or
>valuables
>inside, or that you should have a basic understanding (even if inconscious)
>of
>Newtonian physics lest you want to slide off the road at the first curve.
>
>- ignore them and buy (find a free) protection system.
>
>But basically, we agree, security holes are bad and should be avoided as
>much
>as possible. Side effects, however, are a sad fact of life.
Scott
Welcome to 2000 - the _last_ year of the Twentieth Century and Second
Millennium
Liberty 4All
Timothy J. McNitt <mcn...@DeleteThisPart-acies.com> wrote in message
> I'm currently testing replacements for all of the Symantec products on
> my systems and those of my clients. Symantec only grudgingly dealt
> with the security issue in POProxy after it became a media event. I
> would prefer to purchase software from a company that fixes bugs when
> they are first pointed out, rather than one that considers a security
> bug to be a problem only when it receives media attention.
>
> Tim
Tim, I pointed out several bugs to the Symantec folks concerning the NU
portion of SystemWorks2000. At first, there was denial, then, after I proved
it to them, there was acceptance, then there was nothing...until patches
were released, unannounced. It's unfortunate that Symantec are so consumed
with putting NAI out of business that they release product without adequate
beta testing, just to get it on the shelves. While folks poke endless jabs
at AOL and Microsoft, at least they did a good job of beta testing recent
releases of their software (AOL 5.0 and Office 2000). There was about 6
months of beta testing with selected participants from the user community on
both products and by and large, both products were *relatively* stable at
time of release. Symantec's beta testing was done on machines in their labs,
I was told.
Peace
JimW
"The patch will change the port 110 settings to allow only Norton AntiVirus 2000 on your system to use the port. The port will still show as "open" from a port scanner that is run from another machine. However, only NAV 2000 can use the port. To restate slightly differently: Only the LOCAL machine can use port 110 after installing the NAV 2000 patch. External machines cannot access this port on the NAV machine."
Arthur Hagen
>
> If you're Legal, why worry about it?
If you're legal, you won't mind if someone entered your home and
demanded to check out your computer whether product X was installed, and
your video tape collection for movie Y too, while at it. Or would you,
even if you're "legal", object because it's an invasion of privacy?
> Now, if it is sending anything else
> besides that, I would be a little concerned. But, I trust them.
Do you also trust that they use top-grade encryption so no-one will be
able to intercept the data you send them? Or that someone in (shudder)
management at Symantec suddenly says "Hey, this is a great idea, why
don't we pull out all their email addresses too while at it, so we can
send our esteemed customers even more good offers?"...
Or how about not allowing this to happen in the first place, since other
companies with LESS scruples may be able to do it just because there's
precedents and no-one reacted when it was Symantec doing it...
> Just my worthless nickle in the wishing well...
Indeed.
--
*Art
IPv6
Nice to dream isn't it....
What do you think Symantec is thinking right now that you published this
via a public forum and claim you are the discoverer?
"This is a job for Judge Whop(a lawsuit) animal lover ex/inmate!"
(hehehe!)
"Liberty 4All" <liber...@mindspring.com> wrote in message news:84svie$pmq$1...@nntp8.atl.mindspring.net...
|
| Timothy J. McNitt <mcn...@DeleteThisPart-acies.com> wrote in message
IPv6
things up now ya hear!"
I have nothing to hide, of course, maybe you do.....
"Arthur Hagen" <a...@broomstick.com> wrote in message news:3873B0E3...@broomstick.com...
Timothy J. McNitt
wrote:
>According to the Symantec article at:
>
>http://service1.symantec.com/SUPPORT/nav.nsf/df0a595864594c86852567ac0063608c/03bba57b09f304ee8825685100051363?OpenDocument
>
> "The patch will change the port 110 settings to allow only Norton AntiVirus 2000 on your system to use the port. The port will still show as "open" from a port scanner that is run from another machine. However, only NAV 2000 can use the port. To restate slightly differently: Only the LOCAL machine can use port 110 after installing the NAV 2000 patch. External machines cannot access this port on the NAV machine."
>Can anyone confirm or deny?
BugNet has pretty much confirmed it. NAV 2K
will now terminate any attempts to connect to port 110 from the
outside. A port scan will still show the port as "open" unless you use
a firewall to "close" the port.
>Another site that determined my IP address, did a tracert AND got my computer NAME right through the proxy - WITHOUT my running special software: http://www.privacy.net/analyze/
If you are browsing through the @home proxy, the privacy.net site
should not be able to determine your computer name. It should come
back as proxy.something.something.something.home.com
If someone has your IP address (it's in the header of your newsgroup
postings) and does a traceroute to your IP address, they will see your
computer name. Its no big deal. The information on the privacy.net
site has very little to do with the security of your system.
Tim