In Brief

Symantec Antivirus Vulnerability; New Identity Management Acquisitions; NIST Releases HIPAA Security Guide

Symantec Antivirus Vulnerable

Versions of Symantec Norton Antivirus 2004 and 2005 have two vulnerabilities that leave the PCs running them exposed to a denial of service (DoS) attack.

Symantec released a statement, “Denial of Service in Symantec Norton AntiVirus AutoProtect,” in which the company characterizes the risk impact of the vulnerability as low.

The first vulnerability occurs when Symantec’s Auto-Protect module (a virtual device driver running in the background on a PC that watches for viruses, worms, and Trojan software) scans a certain type of file. The module “intercepts any run, open, or create activity and scans the file before allowing the action to continue,” notes Symantec.

Certain file types, particularly those introduced via a CD or copy-and-paste operation—from one system to another—cause the problem. “The resultant scan caused the system to hang and generate a general protection fault error, or blue screen of death requiring a system reboot to clear.”

The second vulnerability only affects 2005 versions of its antivirus software. A feature of the software, SmartScan, limits antivirus scanning to certain high-risk files, based on their extension, even if the extension changes. “Under certain circumstances with SmartScan enabled, renaming a file stored on a network share can induce a system crash when the modification kicks off SmartScan,” notes Symantec. “Based on the file write for the name change, SmartScan will be invoked to scan the file, which can result in excess CPU consumption and ultimately a system crash.”

Symantec released a patch for all affected products.

- - -

Identity Management Acquisitions Continue

Oracle recently purchased the Cupertino, Calif.-based identity management and federated services vendor Oblix, whose customers include American Airlines, British Airways, Cisco, General Motors, and the U.S. Postal Service.

“This is Oracle’s second identity-management acquisition in the last year—the company acquired Phaos in May 2004,” notes analyst Neil Macehiter, a partner at Macehiter Ward-Dutton in London. Oracle, of course, already sells Oracle Identity Management, though “it is targeted at its own solutions.”

What’s next? “Oracle plans to integrate Oblix’s identity-management solutions with its own Oracle identity-management technology that is part of the Oracle Application Server 10g,” says Macehiter. Expect the functionality to appear in various Oracle products, though Oracle says it will continue to sell the Oblix products as standalone entities as well.

The acquisition mirrors similar deals in which software and systems providers have bought companies specializing in identity management. Other deals included Sun buying Waveset Technologies in 2003, and in 2004, HP buying TruLogica, and Computer Associates purchasing Netegrity. Just this year, BMC snapped up Celendra and also OpenNetwork.

“This spate of acquisitions reflects a growing awareness of the role of identity management in helping organizations to provide the accountability, traceability of access to resources, and audit demanded by regulatory compliance, as well as supporting service-oriented architecture initiatives,” Macehiter says. Of course, he notes, identity management is still good at what it was initially designed for: “reducing the costs and increasing the efficiency of the processes associated with user provisioning, password management,” and so on.

In Oracle’s case, the company is gearing up to fight such rivals as BEA, IBM, and Microsoft, “all of whom rely on partnerships with the likes of Actional, Amberpoint, and Blue Titan,” he says.

SAP is also a potent competitor, and “Oracle is sure to point to the addition of identity management and web services management capabilities as strengthening its position against SAP’s NetWeaver infrastructure,” says Macehiter. “It will be interesting to see how SAP responds.”

- - -

Symantec Says Vulnerabilities Up 13 Percent

In Symantec's latest release of its latest security threat report, the company notes that phishing attacks are rising. “Over the last six months of 2004, phishing developed into a serious security risk. Attackers also increasingly targeted Web applications.”

Overall, Symantec counted 1,403 new vulnerabilities, an increase of 13 percent over the first half of 2004, and 97 percent were rated as of moderate or high severity. The average organization is targeted with 13.6 attacks per day, up from 10.6 just six months ago.

Beyond that, “in the near future, Symantec expects more damaging malicious code to be developed for mobile devices.”

- - -

NIST Releases HIPAA Security Guide

The National Institute of Standards and Technology (NIST) released Special Publication 800-66, a guide for implementing the HIPAA Security Rule, which takes effect on April 20.

The guide “identifies key NIST resources relevant to the specific security standards included in the Security Rule and provides implementation examples for each,” says NIST. Only federal agencies are required to follow the guidelines.

For more information, visit: http://csrc.nist.gov/publications/nistpubs/index.html#sp800-66

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.