The opinions expressed herein are entirely my own and do not represent the opinions of any other entity with which I am affiliated. Opinions expressed in comments and trackbacks are those of their respective authors and do not necessarily reflect my own point of view.
All works are licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States License.
© Copyright 2006-2009 MalwareTeks
SYM07- 021
August 09, 2007
Symantec ActiveX Control Input Validation Error
Revision History
None
Risk Impact
High
| Remote Access | Yes |
| Local Access | Yes |
| Authentication Required | No |
| Exploit available | No |
Overview
An input validation error in two ActiveX controls used by Norton AntiVirus, Norton Internet Security, and Norton System Works could allow an attacker to execute code on the target system.
Affected Products
| Product | Version | Solution |
| Norton AntiVirus | 2006 | Run LiveUpdate in Interactive Mode |
| Norton Internet Security | 2006 | Run LiveUpdate in Interactive Mode |
| Norton Internet Security, Anti Spyware Edition | 2005 | Run LiveUpdate in Interactive Mode |
| Norton System Works | 2006 | Run LiveUpdate in Interactive Mode |
Unaffected Products
| Product | Version |
| Norton 360 | All |
| Norton AntiBot | All |
| Norton AntiVirus | 2007 and later |
| Norton Confidential | All |
| Norton Internet Security | 2007 and later |
| Norton System Works | 2007 and later |
| Symantec AntiVirus Corporate Edition | All |
| Symantec AntiVirus for Linux | All |
| Symantec Client Security | All |
Details
Symantec was notified that two ActiveX controls supplied by NAVCOMUI.DLL contain an input validation error for two properties of the controls. This error could allow an attacker to crash Internet Explorer, or possibly run arbitrary code with the rights of the logged in user.
Symantec response
Symantec engineers have confirmed that the vulnerability in the products listed in the Affected Products table above. Updates for affected products are available through LiveUpdate.
No versions of Symantec AntiVirus Corporate Edition or Symantec Client Security are affected by this vulnerability.
To successfully exploit this vulnerability, an attacker would need to entice the user to view a specially crafted HTML document. This type of attack is often achieved by sending email containing a link to the malicious site, and persuading the recipient to click on the link.
Symantec is not aware of any customers impacted by this issue, or of any attempts to exploit the issue.
Mitigation
Symantec Security Response has released Bloodhound.Exploit.148 to detect and block attempts to exploit this vulnerability. This detection is available in virus definitions dated 08-09-2007 and later.
In addition, Symantec has released an IPS signature to detect and block attempts to exploit this vulnerability. The signature, HTTP Symantec NAV NavComUI ActiveX BO, is available in signatures dated 08-09-2007 and later.
Virus definitions and IPS signatures are both available through LiveUpdate
How to Obtain the Update
Symantec Norton product users who regularly launch and run LiveUpdate should already have received an updated (non-vulnerable) version of NAVCOMUI.DLL.
However, to ensure all available updates have been applied, users can manually launch and run LiveUpdate in Interactive mode as follows:
Best Practices
Symantec recommends any affected customers update their product immediately to protect against potential attempts to exploit this vulnerability. As part of normal best practices, Symantec recommends the following:
Credit
Symantec would like to thank Carsten Eiram, Secunia Research for reporting this issue and coordinating with us on the response.
References
The Common Vulnerabilities and Exposures (CVE) initiative has assigned CVE Candidate CVE-2007-2955 to this issue.
This issue is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.
SecurityFocus (http://www.securityfocus.com) has assigned Bugtraq ID (BID) 24983 to this issue
Symantec takes the security and proper functionality of its products very seriously. As founding members of the Organization for Internet Safety (OISafety), Symantec follows the principles of responsible disclosure. Symantec also subscribes to the vulnerability guidelines outlined by the National Infrastructure Advisory Council (NIAC). Please contact secure@symantec.com if you feel you have discovered a potential or actual security issue with a Symantec product. A Symantec Product Security team member will contact you regarding your submission.
Symantec has developed a Product Vulnerability Handling Process document outlining the process we follow in addressing suspected vulnerabilities in our products. We support responsible disclosure of all vulnerability information in a timely manner to protect Symantec customers and the security of the Internet as a result of vulnerability. This document is available from the location provided below.
Symantec strongly recommends using encrypted email for reporting vulnerability information to secure@symantec.com. The Symantec Product Security PGP key can be obtained from the location provided below.
 Symantec Vulnerability Response Policy |
 Symantec Product Vulnerability Management PGP Key |
Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Symantec, Symantec products, Symantec Security Response, and secure@symantec.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.
Initial Post on: Thursday, 09-Aug-07 08:42:00
Last modified on: Thursday, 09-Aug-07 15:51:42
Comment Meta:
XHTML:
More Options ...
Categories
Tag Cloud
Blog RSS
Comments RSS
Void « Default
Life 
Earth 
Wind 
Water 
Fire Light
Previous: 
Next: 
Last 50 Posts 
Back