Edvice Security Services Ltd.
Symantec Norton AntiVirus 2002
Edvice Security Services Ltd. notified Symantec that Symantec Norton AntiVirus 2002 incoming email scanning protection could be bypassed by the following means:
- Embedding malicious code in a modified MIME message
- The exclusion of .nch and .dbx extensions from scanning
- MIME header with double file names
Edvice Security Services Ltd. tested Symantec Norton AntiVirus 2002 and reported the following behaviors:
- It is possible to bypass Norton AntiVirus 2002 Incoming Email Protection by injecting a NULL character into the MIME message. If the NULL character appears before the virus part, then Norton AntiVirus 2002 fails to detect the virus. Embedding virus or malicious code in specific non-RFC compliant MIME formats in some instances causes Norton AntiVirus 2002 to prematurely terminate scanning, allowing infected emails to go undetected in the initial incoming scanning process.
- Embedding malicious code in certain non-RFC compliant MIME formats in some instances causes Norton AntiVirus 2002 to prematurely terminate scanning, allowing infected e-mails to go undetected in the initial incoming scanning process.
- There are 2 file types, .nch and .dbx, which are excluded by default from Norton AntiVirus 2002 scanning. An attacker can take either a Word macro virus or an executable file with an embedded virus, rename it with an .nch or a .dbx extension, and send it to a victim. If the victim runs Norton AntiVirus 2002, these files would be excluded from being scanned. Because Windows automatically recognizes these files, double-clicking the file executes the infected document.
- Renaming a .doc or .exe file with an "excluded" extension could deceive Norton AntiVirus 2002 to exclude the file from being scanned. For example,
name=\"Virus.nch\" or Virus.dbx
In this example, the victim will receive an .exe file and not an .nch file. Microsoft Outlook determines the file name using the Content-Disposition field while Norton AntiVirus 2002 excludes the file after looking at the Content-Type field. Norton AntiVirus 2002 looks at the first "name" field while Outlook presents the filename as Virus.exe. An attacker can take a macro virus (for example, Virus.exe), rename it to Virus.nch, and send it to a potential victim. If the victim is using Norton AntiVirus 2002, the virus will not be detected by the email protection feature or by the Auto-Protect feature. However, double-clicking this file will cause it to execute.
Symantec feels that there are some basic misunderstandings concerning the impact of Edvice Security's findings. Symantec Norton AntiVirus products provide multiple-layered scanning to protect in these cases. Symantec customers are not in danger of being infected through any of these issues.
Regarding the first two issues, Symantec has confirmed that although the initial incoming scan may be bypassed in the manner described by Edvice, the Symantec Norton AntiVirus AutoProtect feature protects a system by scanning active files for viruses, Trojan horses, and worms. If malicious code is hidden in such a manner as to bypass the initial email scan, the malicious virus or code would be detected in real time by a scheduled or manual scan if the file were saved on the targeted system. Additionally, attempts to execute the malicious code would cause Symantec Auto-Protect to alert. Finally, Symantec's Script Blocking feature would further prevent any malicious scripts from running on the targeted system. That said, Symantec takes the security of its products very seriously. Symantec will have an update to address this RFC issue available via LiveUpdate shortly.
In the third issue, newsgroups use .nch files for caching and local storage while the .dbx files are the mailbox files for Microsoft Outlook Express. It is true that by renaming the file type of a malicious file to one of the excluded file types, this will bypass the initial incoming email scan. Further, by renaming a Microsoft Office document containing malicious code or macros to one of the excluded extensions, Microsoft Office will still recognize the document as a Microsoft document and execute it on the system. However, when the malicious Microsoft document is executed the Norton AntiVirus Office plug-in would scan it and alert the user to any potential malicious activity. A renamed file or a type other than a Microsoft document would not execute on the computer and, therefore, could not infect a user's computer. Symantec is reviewing the exclusion feature to respond to this type of issue.
The fourth issue is similar to the third. By renaming a file containing malicious code to one with an excluded extension and delivering it in the non-RFC compliant MIME format, Norton Antivirus' incoming email scan could be bypassed and the malicious file saved on the system as a executable file or as a Microsoft Office document. However, if an attempt is made to execute the malicious file on the computer, the file will be detected by Norton AntiVirus or by the Norton AntiVirus Office plug-in, depending on the file type, which would alert the user to any potential malicious activity. Symantec will have an update to address this RFC issue available via LiveUpdate shortly.
Symantec recommends the following Best Practices to enhance the protection of your computers from unauthorized access:
- Keep vendor-supplied patches for all software up-to-date
- Be wary of mysterious attachments and executables delivered from email, user groups, and so on
- Do not open attachments or executables from unknown sources. Always err on the side of caution
- Even if the sender is known, be wary of attachments if the sender does not explain the attachment content in the body of the email. You do not know the source of the attachment
- If in doubt, contact the sender before opening the attachment. If still in doubt, delete the attachment without opening it
Symantec takes the security and proper functionality of its products very seriously. Symantec appreciates the coordination of Mickey Boodaei and Edvice Security Services Ltd. in identifying and providing technical details of potential areas of concern so it can quickly address the issue.
Symantec takes the security and proper functionality of our products very seriously. As founding members of the Organization for Internet Safety (OISafety), Symantec supports and follows the principles of responsible disclosure. Symantec also subscribes to the vulnerability disclosure guidelines outlined by the National Infrastructure Advisory Council (NIAC).
Please contact firstname.lastname@example.org if you feel you have discovered a security issue in a Symantec product. A Symantec Product Security team member will contact you regarding your submission. Symantec strongly recommends using encrypted email for reporting vulnerability information to email@example.com. The Symantec Product Security PGP key can be found at the end of this message.
Symantec has developed a Product Vulnerability Response document outlining the process we follow in addressing suspected vulnerabilities in our products. This document is available below.
Copyright © by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from firstname.lastname@example.org.
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Symantec, Symantec products, Symantec Security Response, and email@example.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.
Last modified on: Monday, 25-Oct-04 14:49:11