On 27 Oct, 2003 Digital Pranksters posted the following:

To: bugtraq@securityfocus.com
Subject: Norton Internet Security 2003 XSS
Date:  Oct 27 2003 7:26PM
Message-ID: <Pine.LNX.4.44.0310271323470.9099-100000@mail>

DigitalPranksters Security Advisory
http://www.DigitalPranksters.com

Norton Internet Security Blocked Sites XSS

Risk: Low

Product: Norton Internet Security 2003 v6.0.4.34 (Maybe others we only
tested this version)

-----------------snip-------------

27 October 2003 
Symantec Network Internet Security (NIS) Blocked Site Return Messages Not 
Properly Validated
Risk
Low
Overview
A security group, The Digital Pranksters, reported an issue they 
discovered in Symantec's Norton Internet Security product. 
The URL in the return message from a site on the blocked list in the 
Norton Parental Control feature can allow an unauthorized 
script to run the client system. 

Components Affected
Symantec's Norton Internet Security 2003
Symantec's Norton Internet Security 2004

Description
Symantec's Norton Internet Security blocks inappropriate web content to 
help parents keep their children safe from 
inappropriate material while online.  The Norton Parental Control blocks 
access to newsgroups and Web sites that may not be 
suitable for children.  When a link is accessed or followed to one of the 
sites on the blocked list, Norton Internet Security 
returns a message stating that the site is restricted and has been 
blocked.  The returned message included the URL of the 
restricted site and is presented in a separate browser window Norton 
Internet Security opens on the client system.  Digital 
Pranksters reported that they were able to supply a URL from a blocked 
site that contained additional unauthorized script 
embedded in the URL.  This script displayed in the blocked access message 
window on the client system.
 
Symantec Response
Symantec has verified this issue.  There is a bug in the way Norton 
Internet Security is validating the content it returns in 
the informational page.  This is being fixed and will be forthcoming in a 
future LiveUpdate to Norton Internet Security 
products.
The risk presented by this bug is very low to non-existent.  Any 
unauthorized script returned in the blocked site URL runs in 
the context of the informational window that Norton Internet Security 
opens on the client system.  This is a very restricted 
environment providing no access to the client system outside of the 
display window or any unauthorized information from the 
client system to be sent out.  While it presents little risk to the client 
system, it is unwarranted action that is being 
addressed. 
Symantec takes any potential security issues with Symantec products very 
seriously.  While the issue described by the Digital 
Pranksters applies only to the subset of Web sites contained in the Norton 
Internet Security Block Site list, there are many 
other malicious Web sites on the Internet and many ways of enticing a 
careless surfer to visit such a site. Symantec recommends 
the following best practices as part of a normal security posture:

* Keep vendor-supplied security patches and updates for all application 
software and operating systems current. 
* Run current Anti-Virus/Firewall applications and keep the definitions 
updated.  Systems should be scanned on a regular basis.
* Be wary of attachments delivered via email.  Especially ones with vbs, 
.bat, .exe, .pif and .scr file extensions that are 
commonly used to spread viruses, worms, and trojans.
* Even if the sender is known, users should be wary of attachments or 
unknown files if the sender does not thoroughly explain 
the content in the body of the email. The source of the original 
attachment is often unknown.
* If in doubt, users should contact the sender before opening the 
attachment or downloading the file to see if, in fact, they 
did intend to send it. If there is still doubt, users should delete the 
document in question without opening it.
* If you intend to download an attachment, download to a separate folder 
and scan prior to opening.
* Practice safe surfing. 
 
Credit
Symantec takes the security and proper functionality of our products very 
seriously. Symantec appreciates the coordination of 
Digital Pranksters security team in identifying and providing details of 
this area of concern as well as working closely with 
Symantec to properly address the issue. Anyone with information on 
security issues or concerns with Symantec products should 
contact symsecurity@symantec.com

Copyright (c) 2003 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as 
it is not edited in any way unless authorized by
Symantec Security Response. Reprinting the whole or parts of this alert in 
any medium other than electronically requires
permission from symsecurity@symantec.com.
Disclaimer
The information in the advisory is believed to be accurate at the time of 
publishing based on currently available information.
Use of the information constitutes acceptance for use in an AS IS 
condition. There are no warranties with regard to this 
information. Neither the author nor the publisher accepts any liability 
for any direct, indirect, or consequential loss or 
damage arising from use of, or reliance on, this information.
Symantec, Symantec products, Symantec Security Response, and SymSecurity 
are registered trademarks of Symantec Corp. and/or
affiliated companies in the United States and other countries. All other 
registered and unregistered trademarks represented in 
this document are the sole property of their respective companies/owners. 


Symantec Security Response
symsecurity@symantec.com
http://securityresponse.symantec.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1

iQA/AwUBO7iRFxMwEkwA14VxEQKI8gCfWICJV9DrP5YPrcJa9dxgtSCHaaIAn3e+
WKp8AolyJgWU0eeQKBtc7tu3
=f7Si
-----END PGP SIGNATURE-----