Symantec patches critical firewall flaws

For the third time this year, the company issues patches for many of its antivirus and firewall products in order to fix serious security flaws.

For the third time this year, Internet security company Symantec has had to release patches to plug critical security flaws in many of its popular antivirus and firewall packages.

Security company eEye on Wednesday published details of four security holes that affect a range of Symantec's client-based applications, including Norton Internet Security, Norton AntiVirus and Norton AntiSpam. Symantec has published a security response on its Web site.

Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.

Symantec's Guido Sanchidrian, a product manager for antivirus, content filtering and security response, said the company has spent the past month developing fixes for the vulnerabilities and has now made the patches available to its customers.

"Anyone who regularly runs Symantec LiveUpdate should already be protected. However, to be sure, customers should manually run Symantec LiveUpdate," Sanchidrian said.

Philippe Alcoy, senior security consultant at eEye, said the people most at risk are those not protected by a perimeter firewall. This might include people at home, workers at smaller businesses and corporate laptop users not working through their VPNs.

"Most corporate environments have perimeter firewalls, so users behind that are only vulnerable to an internal attack, but users taking laptops home are at risk," Alcoy said.

Of the four flaws, three could allow a hacker to take control of an affected system, while one could be used to force a computer into an infinite loop by simply sending it a specially crafted packet of data.

"That's a big problem if the machine is a mission-critical server," Alcoy said.

The flaws were first reported to Symantec on April 19, which means the company has taken just under a month to develop a patch. According to eEye, this is a "reasonable" amount of time in which to address the vulnerabilities.

In January, Symantec plugged a gap in its LiveUpdate feature that could have allowed hackers to gain administrator rights on an affected PC. Just two months later, the company admitted its Internet Security package contained a back door that could be used by hackers to take control of the machine.

The flaws affect the following packages: Norton Internet Security and Norton Internet Security Professional 2002, 2003 and 2004; Norton Personal Firewall 2002, 2003 and 2004; Symantec Client Firewall 5.01 and 5.1.1; Symantec Client Security 1.0, 1.1 and 2.0 (SCF 7.1) and Norton AntiSpam 2004.

Symantec's Sanchidrian said the company does not believe any of its customers have been affected by the flaws at this time.

Munir Kotadia of ZDNet UK reported from London.