Security - Death by Firewall

Every security expert and book (including "Always use Protection") talks about the importance of having a firewall. But what if the firewall itself contains a security vulnerability?

Oops! 

Our sympathy to the folks at Internet Security Systems (www.iss.net) makers of RealSecure and BlackIce. Even more sympathy to 12,000 or so computers demolished by the "witty" worm starting on March 19th or 20th 2004. This worm, when it lands on a vulnerable system, first tries to propogate itself by trying to reach other systems, then proceeds to write random data on the hard drive. The likely result - targetted computers have all drive data lost or corrupted, and need complete reinstalls.

How did it happen?

Remember what a firewall does. It examines incoming packets of data to prevent those that are unwanted. For example: let's say someone discovers a vulnerability in a Windows service that is listening at a certain port. Well, if your firewall is blocking that port, even if your operating system is vulnerable, the firewall will prevent an attack from suceeding. The way you normally use firewalls is, in fact, to block all incoming ports by default, and only open those ports that you need (say, to host a web site or a game server).

But what happens when the firewall itself is vulnerable to attack?

That's what happened here. After all, in order for a firewall to decide which packets to forward to your operating system, the firewall itself has to examine every packet. In this case the worm exploits a stack overflow (similar to the buffer overflow described in the book) in order to load itself on your computer and infect it.

Looks like their firewall needs a firewall?