In association with heise online

10 May 2007, 11:06

Vulnerability in Symantec ActiveX module

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

A design bug in an ActiveX module installed by Norton Antivirus, Internet Security and System Works can lead to additional ActiveX modules which are normally not accessable by the browser being loaded, and their inherent vulnerabilities being exploited. The security service organization iDefense explains in an advisory that the affected ActiveX components are actually intended for an embedded browser.

If a website loads the module in Internet Explorer, it crashes and leaves the browser in an undefined condition. Following the appearance of the error dialog, additional Symantec modules can be loaded, despite not being tagged as "Safe for Scripting". If these modules contain vulnerabilites, attackers might exploit them.

The defective components are installed in Norton Antivirus, Internet Security and System Works in both the 2005 and 2006 versions. Symantec provides updated modules, which no longer contain the vulnerability, via LiveUpdate.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit