Information Security News mailing list archives
Re: [vor] Re: Symantec CEO Warns of Drop in Internet Use
From: InfoSec News <isn () c4i org>
Date: Fri, 21 Nov 2003 01:16:08 -0600 (CST)
Forwarded from: Chris Wysopal <weld () vulnwatch org> To: security curmudgeon <jericho () attrition org> cc: InfoSec News <isn () attrition org> Your list of vulnerabilities in security products brings up an issue that is often lost on people. When you add a band aid instead of fixing the root problem you are always adding risk. It is hard for people to understand but sometimes you are lowering overall security by adding a new layer with its attendant design and implementation flaws. We had a customer that was not satisfied with IIS basic auth security over SSL. So what did the do? They added a single sign on ISAPI plugin. Well that plugin had a buffer overflow that allowed you to not only login with no credentials but execute code on the server. The moral is unless you do security acceptance testing on the components you are adding, you are just guessing that you are increasing security. The poor track record of even security products companies is the evidence. -weld On Thu, 20 Nov 2003, security curmudgeon wrote:
: http://www.eweek.com/article2/0,4149,1390273,00.asp : : November 19, 2003 : By Dennis Fisher : : LAS VEGAS - If software vendors and security companies don't get their : act together and start producing better products, users will begin : dropping off the Internet out of sheer frustration, predicted John : Thompson, chairman and CEO of Symantec Corp., in his keynote speech at : Comdex here Wednesday. : : Thompson challenged vendors to begin turning out more secure software : solutions and to take the initiative in trying to protect customers from : attackers and themselves. If that doesn't come to pass, then Internet : users—especially less savvy consumers—will reduce the amount of time : they spend on the Internet and only use it when they absolutely need to. Symantec PCAnywhere Chat Client Privilege Escalation Vulnerability http://www.securityfocus.com/bid/9052 Symantec PCAnywhere Privilege Escalation Vulnerability http://www.securityfocus.com/bid/9045 Symantec Norton Internet Security Error Message Cross-Site Scripting http://www.securityfocus.com/bid/8904 Symantec AntiVirus For Handhelds Scanning Bypass Vulnerability http://www.securityfocus.com/bid/8639 Symantec Norton AntiVirus Device Driver Memory Overwrite Vulnerability http://www.securityfocus.com/bid/8329 Symantec Quarantine Server Disconnect Denial Of Service Vulnerability http://www.securityfocus.com/bid/8306 Symantec NAVCE Failure To Scan Floppy Disks Vulnerability http://www.securityfocus.com/bid/8077 Symantec Security Check RuFSI ActiveX Control Buffer Overflow Vulnerability http://www.securityfocus.com/bid/8008 Symantec Enterprise Firewall HTTP Pattern Matching Evasion Weakness http://www.securityfocus.com/bid/7196 Symantec Norton Internet Security ICMP Packet Flood Denial Of Service http://www.securityfocus.com/bid/6598 Symantec Enterprise Firewall RealAudio Proxy Buffer Overflow Vulnerability http://www.securityfocus.com/bid/6389 Symantec Java! JustInTime Compiler Command Execution Vulnerability http://www.securityfocus.com/bid/6222 Symantec NAVCE Privilege Escalation Vulnerability http://www.securityfocus.com/bid/5966 Multiple Symantec HTTP Proxy Denial of Service Vulnerability http://www.securityfocus.com/bid/5958 Multiple Symantec HTTP Proxy Information Disclosure Vulnerability http://www.securityfocus.com/bid/5959 Symantec VelociRaptor Denial of Service Vulnerability http://www.securityfocus.com/bid/5909 Multiple Symantec Product Weak TCP Initial Sequence Number Vulnerability http://www.securityfocus.com/bid/5387 Symantec Norton Personal Firewall/Internet Security 2001 Buffer Overflow Vulnerability http://www.securityfocus.com/bid/5237 Symantec Norton Personal Firewall 2002 Portscan Protection Bypass Vulnerability http://www.securityfocus.com/bid/4521 Symantec Raptor / Enterprise Firewall FTP Bounce Vulnerability http://www.securityfocus.com/bid/4522 Symantec Norton Personal Firewall 2002 Fragmented Packet Vulnerability http://www.securityfocus.com/bid/4545 Symantec Norton AntiVirus NULL Characters Incoming Email Protection Bypass Vulnerability http://www.securityfocus.com/bid/4242 Symantec Norton AntiVirus Non-RFC Compliant Email Protection Bypass Vulnerability http://www.securityfocus.com/bid/4243 Symantec Norton AntiVirus Excluded Filetype Email Protection Bypass Vulnerability http://www.securityfocus.com/bid/4245 Symantec Norton AntiVirus Conflicting MIME Header Vulnerability http://www.securityfocus.com/bid/4246 Symantec Ghost Corporate Edition 7.0 Plain Text Credentials Vulnerability http://www.securityfocus.com/bid/4181 Symantec Norton Antivirus LiveUpdate Plaintext Credentials Vulnerability http://www.securityfocus.com/bid/4170 Symantec Enterprise Firewall Notify Daemon SNMP Data Loss Vulnerability http://www.securityfocus.com/bid/4139 Symantec Enterprise Firewall SMTP Proxy Information Leak Vulnerability http://www.securityfocus.com/bid/4141 Symantec Norton Antivirus LiveUpdate Host Verification Vulnerability http://www.securityfocus.com/bid/3403 Symantec Norton Antivirus LiveUpdate DoS Vulnerability http://www.securityfocus.com/bid/3413 Symantec Ghost Configuration Server DoS Attack http://www.securityfocus.com/bid/2570 Symantec pcAnywhere Port Scan DoS Vulnerability http://www.securityfocus.com/bid/1150 Symantec pcAnywhere Weak Encryption Vulnerability http://www.securityfocus.com/bid/1093 Symantec Mail-Gear Directory Traversal Vulnerability http://www.securityfocus.com/bid/827 Hrm? : "There is no cost [to send spam]; therefore, people send all kinds of : junk. Service providers can fix this by changing the economics of the : situation," he said. "Don't rely on legislative initiatives. A simple : technology solution solves this problem. You know what's coming through : your network. If someone is sending 100,000 e-mails, block them. I don't : understand why you need to appeal to the government." Great theory, but I wonder. If the solution is SO easy, and requires e-mail senders to pay for each outgoing email, why hasn't Symantec developed the solution? If it is that easy, then Symantec could easily jump into a billion+ dollar cash cow.
- ISN is currently hosted by Attrition.org To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY of the mail.
Current thread:
- Re: [vor] Re: Symantec CEO Warns of Drop in Internet Use InfoSec News (Nov 21)