Symantec Raises Warnings about Microsoft Vulnerabilities

Symantec has raised the DeepSight ThreatCon from a level 1 to a level 2. Symantec’s ThreatCon Rating provides an overall view of global Internet Security and is based on a 1 - 4 rating system, with a level 4 being the highest threat level.

Below is information on the Microsoft vulnerabilities that Symantec views as most critical to consumers and enterprises as well as Symantec solutions that protect against them. A complete view of all the vulnerabilities released by Microsoft can be found at http://www.microsoft.com/security/security_bulletins/200404_windows.asp.

1. Security Update for Microsoft Windows (835732)

Microsoft disclosed several new vulnerabilities for Microsoft Windows and has issued a security bulletin based on these vulnerabilities (see http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx)

All of these vulnerabilities are viewed as critical by Symantec. However, Symantec has identified the LSASS Vulnerabiliity (below) as one of the most severe and encourages users to install the patch provided by Microsoft immediately.

Local Security Authority Subsystem Service (LSASS) Vulnerability - Symantec has rated this threat as critical. A buffer overflow vulnerability exists in the LSASS service that could allow remote code execution on an affected system. LSASS provides an interface for managing local security, domain authentication, and Active Directory processes. If the system was compromised, an attacker could gain complete control of the machine and perform actions on the affected machine similar to a user or administrator, such as erase files, steal information, etc.

Symantec Protection/Recommendations: In addition to best practices, Symantec encourages users to install the patch provided by Microsoft. By default, Symantec's full application inspection firewall technology protects against the LSASS vulnerability by blocking all unused incoming ports. No additional configuration or patch is required. Firewall administrators are advised to verify that their security policy does not include opening the following ports UDP: 135, 137, 138, 44 and TCP 135, 139, 445, 593.

Symantec customers who are using products that include Symantec's personal firewall technology, such as Norton Personal Firewall, Norton Internet Security and Symantec Client Security are automatically protected from this vulnerability. Users should also block the various ports above that are at risk.

2. Cumulative Security Update for Outlook Express (837009)

Microsoft has issued a cumulative update that includes all previously-released updates for Outlook Express 5.5 and Outlook Express 6.0 (see http://www.microsoft.com/technet/security/bulletin/MS04-013.mspx)

This update includes security fixes for vulnerabilities that are currently being exploited in the wild. Symantec cautions users that these vulnerability can be exploited through the Outlook Preview pane, and could allow a worm/blended threat to automatically infect systems, which could result in an attacker gaining complete control of the users machine. These vulnerability can also be exploited by visiting a malicious Web site. In this scenario, the attacker would have to host a Web site that contains a Web page that can be used to exploit these vulnerability. An attacker would then have to lure the user to that site, typically by getting them to clink on a specific link. This may decrease the risk associated with these vulnerability.

Symantec Protection/Recommendations: Symantec has rated this threat as critical. These versions of Outlook Express are widely used and Symantec strongly encourages users to install the patch provided by Microsoft to patch their systems as soon as possible. Symantec's AntiVirus solutions automatically protect against threats related to this vulnerability through its Bloodhound heuristics.

3. Cumulative Update for Microsoft RPC/DCOM (828741)

Microsoft has issued an update for several new vulnerabilities in RPC/DCOM (see http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx)

Platforms that may be affected by this vulnerabilitiy include Windows 98, NT, XP, Win 2003, Win XP 64. If a system was compromised, an attacker could take any action including installing programs; viewing or changing information, deleting data etc.

Symantec Protection/Recommendations: In addition to best practices, Symantec encourages users to install the patch provided by Microsoft. By default, Symantec's full application inspection firewall technology protects against this vulnerability by blocking all unused incoming ports. Firewall administrators are advised to verify that their security policy does not include the following incoming ports. UDP: 135, 137, 138, 445 and TCP: 135, 139, 445, 593. Additionally, by default RPC over HTTP (TCP port 80 or 443) is blocked by the FW. No additional configuration or patch is required.

Symantec customers who are using products that include Symantec's personal firewall technology, such as Norton Personal Firewall, Norton Internet Security and Symantec Client Security are automatically protected from this vulnerability. Users should also block the various ports above that are at risk.