Symantec Fixes DNS Cache Poisoning Problem

Symantec on Tuesday released updated hotfixes for several of its gateway products that suffer from a vulnerability hackers have already used to poison DNS caches and redirect users to malicious sites.

Although Symantec released patches earlier this month for its Gateway Security 5300 and 5400 Series, the Windows and Solaris editions of its Symantec Enterprise Firewall, 7.0.x and 8.0, and its Symantec VelociRaptor, the new fixes "further hardens the DNSd for protection against an additional potential vector identified by Symantec engineers during our post-analysis," said the Cupertino, Calif.-based security firm in a bulletin on its Web site.

The DNS cache poisoning incident began March 4; the same day, the Internet Storm Center noted that it had received reports of users being redirected from popular sites such as Google and eBay, to a malicious page where spyware and adware was being distributed.

Damage was limited, however; ISPs blocked the malicious sites soon after the redirect was discovered.

Analysts at Netcraft, among others, identified several Symantec's products as culprits. Symantec, however, noted in its bulletin that its gateway may not have been the only exploit vector.

"Non-Symantec product users reported similar activity, so this malicious action appears not to have been limited to Symantec security gateway products," the company said.

The fixes are available from the Enterprise Support site.