March 16, 2005 - (HOSTSEARCH.COM) - Symantec released a patch for their firewalls yesterday to fix a security hole. Symantec firewalls with DNS caching have been victimized by DNS poisoning which reroutes users from websites like Google and eBay to fake sites that then download ABX toolbar spyware although, the ISC reports, “users running Windows XP SP2 or a web browser that does not support ActiveX will probably not get hit.”
First reported by the ISC, Symantec explained the security flaw like this, “Affected Symantec security gateways include a DNS proxy, called DNSd, which can be configured to function as a DNS caching server (default) or as a primary DNS server. Under specific conditions, DNSd may be susceptible to DNS cache poisoning. DNS cache poisoning occurs when incorrect or false DNS records are inserted into a DNS server�s cache tables, overwriting a valid name server record with its own DNS server address. Subsequent queries for a targeted site would then be redirected to the rogue DNS server, which would respond with its own addresses for those lookups, preventing users from accessing the legitimate site. In this case, reporting on this activity from the Internet Storm Center, SANS, http://www.isc.sans.org, indicated that some users were being redirected to web sites that attempted to download spyware/adware modules to the users browsers. Shortly after the abnormal activity was initially reported, the offending IP addresses were blocked by their ISP until the offending DNS servers� configuration was corrected.”
