Symantec Fixes BrightMail AntiSpam Flaws

The Internet security vendor patches a pair of bugs that could cause data manipulation, denial-of-service attacks or the exposure of sensitive information.

Internet security vendor Symantec has shipped patches to cover a pair of vulnerabilities in its enterprise-facing BrightMail AntiSpam product.

Cupertino, Calif.-based Symantec warned in an advisory that the bugs could lead to data manipulation, denial-of-service attacks or the exposure of sensitive information.

Affected products include Symantec BrightMail AntiSpam 4.x through 6.x. The company recommends that customers immediately update to version 6.0.4 or upgrade to Symantec Mail Security for SMTP 5.0.

Security alerts aggregator Secunia rates the issue as "moderately critical."

Symantec said the vulnerability is caused because the anti-spam software fails to fully sanitize file names passed to the DATABLOB-GET / DATABLOB-SAVE requests of directory traversal sequences.

"This directory traversal vulnerability could result in confidential system information being exposed," the company said.

/zimages/2/28571.gifClick here to read more about BrightMail DoS flaws.

The second flaw applies to the BrightMail AntiSpam Control Center that controls e-mail scanners.

During the installation of the e-mail scanner, if the user chooses an option to allow the Control Center to connect from any computer, it opens the door for a remote attacker to impersonate the Control Center.

Symantec said the attacker could send invalid posts to the anti-spam service, causing a denial-of-service condition.

The company also warned that the two flaws can be combined to expose some system files or allow files to be overwritten.

/zimages/2/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.