Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

   


   


   

















      :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: iDefense Security Advisory 05.09.07: Symantec Norton Internet Security2006 COM Object Security ByPass Vulnerability



> 
> Symantec Norton Internet Security 2006 COM Object Security ByPass
> Vulnerability
> 
> iDefense Security Advisory 05.09.07
> http://labs.idefense.com/intelligence/vulnerabilities/
> May 09, 2007
> 
> I. BACKGROUND
> 
> Norton Internet Security 2006 is a comprehensive system security suite
> that offers protection from spyware, viruses, identity theft, 
> spam, and
> malicious network traffic. More information can be found on 
> the vendors
> site at the following URL.
> 
> http://www.symantec.com/home_homeoffice/products/overview.jsp?
> pcid=is&pvid=nis2006
> 
> II. DESCRIPTION
> 
> Remote exploitation of a design error vulnerability in an ActiveX
> control installed by Symantec Norton Internet Security 2006 
> could allow
> for the execution of arbitrary code.
> 
> Norton Internet Security 2006 installs the following ActiveX control
> which is registered as safe for scripting:
> 
>   Progid: Symantec.Norton.AntiVirus.NAVOptions
>   Clsid: 085ABFE2-D753-445C-8A2A-D4BD46CE0811
>   File: C:\Program Files\Norton Internet Security\Norton
> AntiVirus\NAVOpts.dll
>   Version: 12.2.0.13
> 
> This control was designed for use in a application embedded 
> web browser
> rather than a native Internet Explorer window. When this control is
> loaded in a standard browser window, it throws an error during
> initialization which leaves the browser in a defunct state. After the
> error dialog displays, other Symantec ActiveX Controls can be created
> without error even if they are not marked as safe for scripting. This
> can lead to remote code execution if the unsafe controls contain
> exploitable methods.
> 
> III. ANALYSIS
> 
> Exploitation allows malicious websites to load certain 
> Symantec ActiveX
> Controls which were not designed or secured for web use.
> 
> This condition can lead to the execution of arbitrary code in 
> situations
> where unsafe controls contain exploitable vulnerabilities.
> 
> IV. DETECTION
> 
> iDefense confirmed the existence of this vulnerability within version
> 12.2.0.13 of NavOpts.dll as distributed with Norton Internet Security
> 2006. Prior versions are suspected to be vulnerable.
> 
> V. WORKAROUND
> 
> Setting the kill-bit for the ActiveX control will prevent 
> this component
> from loading in Internet Explorer. Although this will prevent 
> potential
> exploitation, it may also negatively impact the functionality of the
> application.
> 
> VI. VENDOR RESPONSE
> 
> Symantec has addressed this vulnerability with a software update. The
> update is available via their LiveUpdate channels. For more
> information, consult their advisory at the following URL.
> 
> http://www.symantec.com/avcenter/security/Content/2007.05.09.html
> 
> VII. CVE INFORMATION
> 
> The Common Vulnerabilities and Exposures (CVE) project has 
> assigned the
> name CVE-2006-3456 to this issue. This is a candidate for inclusion in
> the CVE list (http://cve.mitre.org/), which standardizes names for
> security problems.
> 
> VIII. DISCLOSURE TIMELINE
> 
> 12/13/2006  Initial vendor notification
> 12/13/2006  Initial vendor response
> 05/09/2007  Coordinated public disclosure
> 
> IX. CREDIT
> 
> This vulnerability was reported to iDefense by Peter Vreugdenhil.
> 
> Get paid for vulnerability research
> http://labs.idefense.com/methodology/vulnerability/vcp.php
> 
> Free tools, research and upcoming events
> http://labs.idefense.com/
> 
> X. LEGAL NOTICES
> 
> Copyright (c) 2007 iDefense, Inc.
> 
> Permission is granted for the redistribution of this alert
> electronically. It may not be edited in any way without the express
> written consent of iDefense. If you wish to reprint the whole or any
> part of this alert in any other medium other than electronically,
> please e-mail customerservice@xxxxxxxxxxxx for permission.
> 
> Disclaimer: The information in the advisory is believed to be accurate
> at the time of publishing based on currently available 
> information. Use
> of the information constitutes acceptance for use in an AS IS 
> condition.
>  There are no warranties with regard to this information. Neither the
> author nor the publisher accepts any liability for any direct,
> indirect, or consequential loss or damage arising from use of, or
> reliance on, this information.
> _______________________________________________
> To unsubscribe, go here:
> http://www.idefense.com/mailman/listinfo/idlabs-advisories
> 



 




Copyright © Lexa Software, 1996-2009.