(Vendor Issues Advisory) Symantec Norton Anti-Virus Lets Remote Users Execute Applications on the Target User's System
|
|
SecurityTracker Alert ID: 1010250 |
|
SecurityTracker URL: http://securitytracker.com/id/1010250
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: May 21 2004
|
Impact:
Denial of service via network, Execution of arbitrary code via network, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 2004
|
Description:
A vulnerability was reported in Norton Anti-Virus 2004. A remote user can execute applications on the target user's system in certain cases. A remote user can also cause denial of service conditions on the target system.
SecureNet Service reported that a remote user can create HTML that, when loaded by the target user, will cause the anti-virus application to freeze. The flaw reportedly resides in an ActiveX control used by the anti-virus software.
The report also indicates that a remote user can cause an arbitrary executable to run on the target user's system if the remote user knows the location of the executable file.
Yuu Arai is credited with discovering this flaw.
The original advisory is available at:
http://www.lac.co.jp/security/csl/intelligence/SNSadvisory_e/72_e.html
|
Impact:
A remote user can cause denial of service conditions on the target user's system.
A remote user may be able to cause an executable file on the target user's computer to run.
|
Solution:
A fix is available via LiveUpdate. The vendor recommends that all users of Symantec Norton AntiVirus 2004 update immediately to apply this fix by running a manual update via the following steps [quoted]:
* Open any installed Symantec product
* Click on LiveUpdate in the toolbar
* Run LiveUpdate until all available Symantec product updates are downloaded and installed
|
Vendor URL: securityresponse.symantec.com/avcenter/security/Content/2004.05.20.html (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS:
Windows (Any)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Fri, 21 May 2004 09:22:46 -0400
Subject: http://securityresponse.symantec.com/avcenter/security/Content/2004.05.20.html
|
SYM04-009
May 20, 2004
Symantec Norton AntiVirus 2004 ActiveX Control Vulnerability
Revision History
None
Risk Impact
Medium
Overview
LAC (Little eArth Corporation, Ltd) notified Symantec of a security issue they discovered
in an ActiveX control used by Symantec Norton AntiVirus 2004. If properly exploited this
vulnerability could allow remote execution of code residing on the local system with
privileges of the logged on user, launch of unauthorized popups or a denial of service
(DoS) against the Symantec Norton AntiVirus application on the targeted system.
Affected Components
Symantec Norton AntiVirus 2004
Details
LAC notified Symantec of a vulnerability in an ActiveX control used in Symantec Norton
AntiVirus 2004. The ActiveX control does not properly verify/validate external input. A
malicious individual could potentially exploit this control to launch arbitrary
executables of the attacker's choice with user privileges. The vulnerability could also be
used to launch an unauthorized URL (pop-up) on the system; or, create a DoS situation
causing the Symantec Norton AntiVirus application to freeze.
To successfully launch an executable, the executable program would have to already exist
on the local system and the location of the executable known to the attacker. This could
limit the potential impact of this type of attack. In all of these types of attacks, the
attacker would need to either entice the targeted user to visit a location where the
malicious script could be launched or to download and launch the malicious script on their
system.
Symantec Response
Symantec verified the issues LAC reported in Symantec Norton AntiVirus 2004. Symantec
product engineers have developed a fix and released patches for all impacted product
versions through Symantec's LiveUpdate.
Symantec recommends all users of Symantec Norton AntiVirus 2004 update immediately to
apply this fix.
Symantec users who normally run manual LiveUpdates will already be protected. However, to
ensure all available patches have been properly applied to Symantec products, users should
run a manual LiveUpdate as follows:
* Open any installed Symantec product
* Click on LiveUpdate in the toolbar
* Run LiveUpdate until all available Symantec product updates are downloaded and
installed
Symantec is not aware of any active exploits for or customer impact from this issue.
As a part of normal user best practice, Symantec recommends a multi-layered approach to
security.
Users, at a minimum, should run both a personal firewall and antivirus application with
current updates to provide multiple points of detection and protection to both inbound and
outbound threats.
Users should keep vendor-supplied patches for all application software and operating
systems up-to-date.
Users should be cautious of mysterious attachments and executables delivered via email and
be cautious of visiting unknown/untrusted websites or opening unknown URL links.
Do not open unidentified attachments or executables from unknown sources or that you
didn't request or were unaware of. Always err on the side of caution. Even if the sender
is known, the source address may be spoofed.
If in doubt, contact the sender to confirm they sent it and why before opening the
attachment. If still in doubt, delete the attachment without opening it.
CVE
A CVE candidate number has been requested from the Common Vulnerabilities and Exposures
(CVE) initiative. This advisory will be revised appropriately when received.
This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which
standardizes names for security problems.
Credit
Symantec appreciates the cooperation of Yuu Arai and the Little eArth Corporation security
research team in identifying these issues.
Symantec Product Security Contact Information
Symantec takes the security and proper functionality of its products very seriously. As
founding members in the Organization for Internet Safety, Symantec follows the process of
responsible disclosure. Symantec also subscribes to the vulnerability guidelines outlined
by the National Infrastructure Advisory Council (NIAC). Please contact secure@symantec.com
if you feel you have discovered a potential or actual security issue with a Symantec product.
Symantec strongly recommends using encrypted email for reporting vulnerability information
to secure@symantec.com. The Symantec Product Security PGP key can be obtained here.
Copyright (c) 2004 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not
edited in any way unless authorized by Symantec Security Response. Reprinting the whole or
part of this alert in any medium other than electronically requires permission from
symsecurity@symantec.com.
Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based
on currently available information. Use of the information constitutes acceptance for use
in an AS IS condition. There are no warranties with regard to this information. Neither
the author nor the publisher accepts any liability for any direct, indirect, or
consequential loss or damage arising from use of, or reliance on, this information.
Symantec, Symantec products, Symantec Security Response, and SymSecurity are registered
trademarks of Symantec Corp. and/or affiliated companies in the United States and other
countries. All other registered and unregistered trademarks represented in this document
are the sole property of their respective companies/owners.
Last modified on: Thursday, 20-May-04 15:34:54
|
|
