Severity: Medium
4 April, 2008
Summary:
- These vulnerabilities affect: Symantec’s Internet Security Suite, and other Norton products (see Exposure section for details)
- How an attacker exploits them: By enticing one of your users into visiting a malicious web site
- Impact: An attacker can execute code on your user’s computer, with your user’s privileges
- What to do: Force a LiveUpdate immediately to ensure that you have the latest versions of Norton software
Exposure:
In posts [ 1 / 2 ] to the Full-Disclosure mailing list, iDefense describes two security vulnerabilities that affect an ActiveX control which ships with Norton Internet Security Suite. The flaws also affect Norton 360, Norton AntiVirus, and Norton SystemWorks.
Severity: Medium
4 April, 2008
Summary:
- These vulnerabilities affect: Symantec’s Internet Security Suite, and other Norton products (see Exposure section for details)
- How an attacker exploits them: By enticing one of your users into visiting a malicious web site
- Impact: An attacker can execute code on your user’s computer, with your user’s privileges
- What to do: Force a LiveUpdate immediately to ensure that you have the latest versions of Norton software
Exposure:
In posts [ 1 / 2 ] to the Full-Disclosure mailing list, iDefense describes two security vulnerabilities that affect an ActiveX control which ships with Norton Internet Security Suite. The flaws also affect Norton 360, Norton AntiVirus, and Norton SystemWorks.
According to Symantec, symadata.dll is an ActiveX control used to help its support reps troubleshoot consumer products remotely. iDefense warns that this ActiveX control suffers from two security vulnerabilities. The first — and worst — involves a buffer overflow vulnerability. By enticing one of your users to a specially designed web page, an attacker could exploit this overflow to execute code on your user’s computer, with that user’s privileges. If you give your Windows users local administrator privileges, the attacker could leverage this vulnerability to gain complete control of their computers.
The second flaw involves a design issue. As we’ve mentioned, Symantec actually designed the symadata.dll ActiveX control to give support reps some control over remote computers, in order to help troubleshoot problems for consumers. As a security measure, Symantec designed the ActiveX control to run from the symantec.com domain only. However, attackers know many sneaky techniques (e.g. Cross-Site Scripting (XSS) attacks, DNS poisoning, etc.) that can help them trick your computer into thinking they are coming from a legitimate domain. By enticing one of your users to a specially crafted web site, and exploiting these techniques, an attacker can trick Symantec’s ActiveX control into running from the symantec.com domain, thus gaining complete access to the ActiveX control’s functionality. Among other things, this ActiveX control allows the attacker to load and execute code from a remote WebDAV or SMB share, potentially allowing them to gain control of your user’s computer.
Solution Path:
Symantec has released updates to fix these vulnerabilities. If you have enabled LiveUpdate, you should have received Symantec’s patch automatically. For more information about LiveUpdate:
You can also visit Symantec’s Autofix Tool page to receive the updated ActiveX control. (Ironically, you will have to allow a Symantec to install and run an ActiveX control in order to get the update from this page.)
For All WatchGuard Users:
An attack exploiting this flaw arrives as seemingly normal HTTP traffic, which you must allow through your Firebox in order for your users to browse the web. Apply the patches above.
Status:
Symantec has released updates to fix these vulnerabilities.