Security update for numerous Symantec products
Symantec is reporting security holes in several of its products. This includes an ActiveX control in Norton AntiVirus 2005 and 2006, Norton Internet Security 2005 and 2006 and Norton System Works 2005 and 2006 that could allow attackers to plant code onto a Windows system. A visit to a rigged website is all that is needed. The control is a component in the automated support assistant used for PC fault diagnostics.
Symantec has classified the problem as low, since only specific websites can activate the control. For an attack to succeed, the attack would have to disguise itself as a trustworthy site. A patch is available and is already being distributed via LiveUpdate. The Symantec Corporate and Enterprise product lines are not affected, nor does the 2007 consumer product version contain the flaw.
A restricted-rights user registered on the system can also exploit a driver vulnerability to elevate his privileges. The flaw is found in Symantec's AntiVirus Corporate Edition as well as in the following list of products:
Norton Internet Security
Norton System Works
Symantec AntiVirus Corporate Edition
Symantec AntiVirus for Blue Coat Security
Symantec AntiVirus for CacheFlow Security Gateway
Symantec AntiVirus for Clearswift MIME Sweeper
Symantec AntiVirus for Inktomi Traffic Edge
Symantec AntiVirus for Microsoft ISA Server
Symantec AntiVirus for NetApp Filer/NetCache
Symantec BrightMail AntiSpam
Symantec Client Security
Symantec Mail Security for Domino
Symantec Mail Security for Exchange
Symantec Mail Security for SMTP
Symantec Scan Engine
Symantec Web Security for Windows
Only the 32 and 64 bit Windows versions of the product are affected, that is, for Windows NT, Windows 2000 and Windows XP. The Macintosh, Windows 95/98/ME, Linux and Solaris versions are all not vulnerable. The cause of the problem is the NAVEX15.SYS and NAVENG.SYS drivers, which do not inspect the provided addresses when functions are called for I/O control. According to the hole's discoverer (iDefense), attackers can manipulate those addresses, write their own code segments into memory and launch it with system rights. Any malware that has snuck past the scanner can also exploit that vulnerability to completely paralyse the security functions. Symantec has made updates to close the holes available for download. The virus definition update from 4 October 2006 also removes the error.
- Symantec Automated Support Assistant: Vulnerabilities in Support Tool ActiveX Control, Advisory from Symantec
- Symantec Device Driver Elevation of Privilege, Flaw report from Symantec
- Symantec AntiVirus IOCTL Kernel Privilege Escalation Vulnerability, Advisory from iDefense