Vulnerability in Symantec ActiveX module
A design bug in an ActiveX module installed by Norton Antivirus, Internet Security and System Works can lead to additional ActiveX modules which are normally not accessable by the browser being loaded, and their inherent vulnerabilities being exploited. The security service organization iDefense explains in an advisory that the affected ActiveX components are actually intended for an embedded browser.
If a website loads the module in Internet Explorer, it crashes and leaves the browser in an undefined condition. Following the appearance of the error dialog, additional Symantec modules can be loaded, despite not being tagged as "Safe for Scripting". If these modules contain vulnerabilites, attackers might exploit them.
The defective components are installed in Norton Antivirus, Internet Security and System Works in both the 2005 and 2006 versions. Symantec provides updated modules, which no longer contain the vulnerability, via LiveUpdate.
- Symantec Norton Internet Security 2006 COM Object Security ByPass Vulnerability, error report from iDefense
(mba)