Symantec's controls for online support were a backdoor for attackers
Symantec has reported a security hole in a number of its products that allows attackers to gain control of a Windows PC. Buffer overflows can be caused in SmartIssue tgctlsi.dll and ScriptRunner tgctlsr.dll, two ActiveX controls from vendor SupportSoft, which are part of Symantec's Automated Support Assistant for online support and troubleshooting. The flawed controls are found in Norton AntiVirus 2006, Norton Internet Security 2006 and Norton System Works 2006.
As an example of how this could work, when a user visits a malicious web site, the server can inject code via the hole and execute it with the user's rights to infect the computer with a trojan. While the controls should only interact with Symantec's sites, Symantec says that the SiteLock function has also been improperly implemented so that any web site can manipulate the controls.
An update has been released and is being distributed via LiveUpdate; it is also installed automatically when the vendor's support sites are visited with Internet Explorer. Version 2007 of the consumer products are not affected, nor are any of the Enterprise products.
- Stack Overflow in Third-Party ActiveX Controls affects Multiple Vendor Products Including Some Symantec Consumer Products and Automated Support Assistant, Symantec's security advisory