Symantec closes hole in consumer products
Symantec has issued a security update for its consumer products to close two critical holes in an ActiveX control (SYMADATA.DLL). Security services provider iDefense reports that a buffer overflow in the AutoFix tool, intended for remote support, enables malicious code to be injected and executed in the context of the user's browser. All it needs is a visit to a crafted Web site.
Symantec has taken some security precautions in the control in order to prevent this attack: the control only runs on pages in the symantec.com domain. A successful attack would also have to exploit a cross-site scripting hole, or manipulate the client PC's name resolution – both iDefense and Symantec classify the problem as non-critical. A second hole enables the downloading of code from a remote share.
Norton 360 1.0, Norton AntiVirus Windows 2006 - 2008, Norton Internet Security 2006 - 2008 and Norton System Works 2006 - 2008 are affected. A corrected version of the control is available for download. In addition, it is also updated at the start of a Symantec Technical Support session.
A similar but more critical ActiveX vulnerability in the Norton 2006 product range, also affecting remote support, was patched in February 2007. In that case unauthorised sites were able to run the control.
- Symantec AutoFix Support Tool ActiveX Control Vulnerabilities, Symantec vulnerability report
- Symantec Norton Internet Security 2008 ActiveX Control Buffer Overflow Vulnerability, iDefense vulnerability report
- Symantec Internet Security 2008 ActiveDataInfo.LaunchProcess Design Error Vulnerability, iDefense vulnerability report