Home page logo

isn logo Information Security News mailing list archives

Re: Security hole found in Symantec update tool
From: InfoSec News <isn () c4i org>
Date: Mon, 15 Oct 2001 03:02:42 -0500 (CDT)

Forwarded from: Paul Cardon <paul () moquijo com>

InfoSec News wrote:
While acknowledging the vulnerability, Symantec blamed much of the
problem on inherent flaws in the domain name system (DNS), the
format used to identify servers on the Internet. "The DNS
attacks...have been widely known to be an Internet infrastructure
problem, not a Symantec product problem, for some time and have
been utilized in many well-publicized DNS spoofing, redirection,
cache poisoning attacks," a Symantec statement said.

Bah.  It IS a Symantec product problem because they were relying on an
intrustable infrastructure rather than using a mechanism to actually
authenticate the Live Update server or the data it provides to the
client like they do with the newer version.  Blaming the
infrastructure is disingenuous at best.  If a system is to be secure,
the trustability and validity of ALL externally provided input must be


ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]