NOW READ THIS
("Security Advisory")
Submitted by: Bill Hickey
NCVA List Master
NRT-0468 Symantec Confirms Its Own ActiveX Bugs:
Symantec Corporation has confirmed flaws in its most popular consumer security software that
could give attackers the means to hijack the Windows PCs that the programs are supposed to protect.
The vulnerabilities are in an ActiveX control that ships with several products, including Norton
AntiVirus, Norton Internet Security, Norton SystemWorks, and Norton 360. Ironically, Symantec
analysts have both cited the popularity of ActiveX bugs and urged caution when using the controls
in comments about other companies' product flaws. According to alerts released Weds., 02APR, by
VeriSign's iDefense, the ActiveX control SymAData.dll sports two vulnerabilities that could be used
"to execute arbitrary code with the privileges of the currently logged in user" by attackers able
to entice victims to malicious web sites. Symantec confirmed the vulnerabilities Wednesday in its
own advisory, and said the buggy control has shipped with Windows versions of Norton AntiVirus
2006-2008, Norton Internet Security 2006-2008, Norton SystemWorks 2006-2008, and Norton 360
Version 1.0. While it acknowledged the bugs, Symantec also downplayed the threat, saying that
attacks would succeed only from specially crafted sites. Symantec said it is unaware of any
attempts to exploit the vulnerabilities. Symantec has updated the affected consumer security
software with new detection definitions designed to block any exploit of the ActiveX flaws, but
will not automatically patch everyone's copy of the flawed control. "An updated (non-vulnerable)
version of the AutoFix tool will be automatically installed if customers participate in an online
Chat session with Symantec Technical Support," Symantec said. Alternately, users can manually
download and install a patched AutoFix from its web site.
(ComputerWorld 04APR08)