Wednesday, 27 June 2012

Symantec have fixed some exploits in Symantec Message Filter

Looks like Symantec have finally fixed some security issues I raised with them back in January 2012 for Symantec Message Filter 6.3.

It took them 6-months - so I am not impressed with their patching-cycle, or their focus on IT Security generally (this is supposed to be a security product after all).

Basically, as I described at BlackHat EU back in May 2012, this product-installer had versions of Tomcat and MySQL which were 7 years old, with default content and no patches (so the product had well-known third-party exploits right out of the box).

Additionally (which I felt I couldn't describe at the time, because it was 0-day) there were session-management and information-disclosure issues in the administrative UI, plus Cross Site Request Forgery (CSRF) of administrative-functions and XSS.

More detail is here:
http://www.symantec.com/security_response/securityupdates/detail.jsp?suid=20120626_00&fid=security_advisory&pvid=security_advisory&year=2012

The CVEs are:

CVE-2012-0300
CVE-2012-0301
CVE-2012-0302
CVE-2012-0303

1 comment:

  1. This comment has been removed by a blog administrator.

    ReplyDelete