Security hole found in Symantec update tool

A group of German hackers have exposed a vulnerability in Symantec's software for updating antivirus software and other programs, which could be used to download and run hostile code from an unauthorized server.

Symantec, which makes antivirus and security software, has confirmed that older versions of its virus definition software will allow malicious programs such as Trojan horses and the remote penetration of systems running version 1.4 of LiveUpdate to occur. The risk of unauthorized intrusion is lessened on systems running the latest version 1.6, but network degradation and outages could still be possible.

German hacking group Phenoelit spotted the security hole and insists that LiveUpdate could be forced to download illicit programs onto the PC. "When LiveUpdate 1.4 is started (either by hand or by a scheduled task), it looks for the server 'update.symantec.com'," states the Phenoelit bulletin. "An attacker can use one of several attacks to return false information to the querying host."

According to the Phenoelit alert, when the host running LiveUpdate tries to connect to update.symantec.com via FTP, it is possible for an attacker to redirect the request to a server of their choice. LiveUpdate will then try to download the necessary files, which will be compared with existing versions of Symantec software installed on the host to see if an upgrade is needed. LiveUpdate will then uncompress the files and perform the actions described in their coding, which includes the execution of downloadable attachments.

LiveUpdate 1.6 follows the same update procedure but includes the safeguard of "cryptographic signatures" of all update files. According to Symantec, this makes it virtually impossible to use the latest version as a penetration tool.

Misdirection attacks can also be controlled by Norton AntiVirus products, which are designed to detect and block malicious programs.

While acknowledging the vulnerability, Symantec blamed much of the problem on inherent flaws in the domain name system (DNS), the format used to identify servers on the Internet. "The DNS attacks...have been widely known to be an Internet infrastructure problem, not a Symantec product problem, for some time and have been utilized in many well-publicized DNS spoofing, redirection, cache poisoning attacks," a Symantec statement said.

The statement also said that although LiveUpdate 1.6 could be hit by a denial of service attack, "only a small percentage of a very large user base could potentially be impacted to any degree, as the spoofing or redirection would, by its very nature, be limited to a local Internet area/region."

Symantec is encouraging users to upgrade to LiveUpdate 1.6 if they are still relying on the four-year-old 1.4 version.

Staff writer Wendy McAuliffe reported from London.