Subscribe to
Computerworld Symantec confirms ActiveX bugs in its own consumer software
Windows versions of popular programs come with flawed tech troubleshooting tool
Active Comments
 The Security Zone
With the mobility of employees and the ease with which external devices can be brought in and out of a network, continuing to build your security plan for network servers and clients is a must. Fortunately, there is much that organizations can do to protect themselves from attacks - internal and external. Having the right policies, procedures and server configurations is critical... Learn more in The Security Zone See All Zones
|
April 4, 2008 (Computerworld) Symantec Corp. has confirmed flaws in its most popular consumer security software that could give attackers the means to hijack the Windows PCs that the programs are supposed to protect.
The vulnerabilities are in an ActiveX control that ships with several products, including Norton AntiVirus, Norton Internet Security, Norton SystemWorks and Norton 360.
Ironically, Symantec analysts have both cited the popularity of ActiveX bugs and urged caution when using the controls in comments about other companies' product flaws.
According to alerts released Wednesday by VeriSign Inc.'s iDefense, the ActiveX control SymAData.dll sports two vulnerabilities that could be used "to execute arbitrary code with the privileges of the currently logged in user" by attackers able to entice victims to malicious Web sites.
Symantec confirmed the vulnerabilities Wednesday in its own advisory, and said the buggy control has shipped with Windows versions of Norton AntiVirus 2006-2008, Norton Internet Security 2006-2008, Norton SystemWorks 2006-2008 and Norton 360 Version 1.0.
While it acknowledged the bugs, Symantec also downplayed the threat, saying that attacks would succeed only from specially crafted sites. "To successfully exploit either vulnerability, an attacker would need to be able to masquerade as the trusted Symantec Web site, such as through a cross-site scripting attack or DNS poisoning," read the company's advisory.
However, cross-site scripting attacks have become common, and although DNS "poisoning" — fooling a DNS server into thinking the bogus routing directions it's received are authentic — is less common, it's not unheard of.
Symantec said it is unaware of any attempts to exploit the vulnerabilities.
The flawed ActiveX control is used by Symantec's AutoFix tool, which is included with some of the company's software and may also be downloaded to a PC during a live chat with a Symantec technical support representative. AutoFix diagnoses PC problems and offers solutions.
Previously, Symantec researchers have called on the company's statistics to point out widespread problems with ActiveX. In February, for example, Oliver Friedrichs, director of the company's security response team, reported ActiveX composed 89% of all the browser plug-in vulnerabilities his team had counted in the first half of 2007.
That same month, Symantec joined with the U.S. Computer Emergency Readiness Team (US-CERT) and other security vendors to urge caution when using ActiveX controls after a wave of bugs were revealed in several other software makers' products, including those from Yahoo Inc., Facebook and MySpace.
Symantec has updated the affected consumer security software with new detection definitions designed to block any exploit of the ActiveX flaws, but will not automatically patch everyone's copy of the flawed control.
"An updated (non-vulnerable) version of the AutoFix tool will be automatically installed if customers participate in an online Chat session with Symantec Technical Support," Symantec said. Alternately, users can manually download and install a patched AutoFix from its Web site.
Today's Top Stories
Resource Alerts
Webcasts
Web Threats Don't Discriminate
The Secure Web Gateway. Mission Critical For Business
Dynamic Data Center and Virtualization Drives Operational Excellence at Emory Healthcare
Editor's Picks
Clues point to Jan. 13 release of Windows 7 beta
Microsoft releases Vista SP2 beta
Obama's DHS pick may find support for raising H-1B cap at confirmation hearing
IBM wants info from Apple execs in Papermaster case
License server glitch exposes SonicWall users to e-mail security threats
Report: Former AOL chief exec tries to raise funds to buy Yahoo
 Fired up about IT? Join Sharkbait and share your true tales of IT. SharkBait is the place for you to sound off about everything IT – the good, the bad, and the rest of the weird stuff you deal with every day.New baits 
|
|
 |
|
Patrick Thibodeau: Satellite images of U.S military bases Which is more important? Helping terrorists or protecting military bases? Answer: protecting Web 2.0 ... [more] |
|
White Papers
Read up on the latest ideas and technologies from companies that sell hardware, software and services.
|
||||||
|
