Software // Enterprise Applications
News
8/10/2007
03:48 PM
50%
50%

Symantec Fixes 'Highly Critical' Bug In Norton

The security company issued an advisory about the vulnerability in two ActiveX controls, as well as a patch for them.

Symantec released a patch for what's being called a "highly critical" bug in two ActiveX controls used in several Norton security products.

The company released an advisory on Thursday that there is an input validation error in two ActiveX controls, which are used in Norton AntiVirus, Norton Internet Security, and Norton System Works. Symantec noted that versions of its AntiVirus Corporate Edition or Symantec Client Security are not affected by the vulnerability.

U.S.-CERT reported that an attacker may be able to execute arbitrary code on an affected system by enticing a user to view a specially crafted html document. Generally, users are duped into either opening a malicious attachment in an e-mail or are lured to a malicious Web page with the infectious code embedded within it.

Symantec patched the flaw, which the company itself said has a "high" risk impact. Secunia, another security vendor, gave it a "highly critical" rating. The fix is available in LiveUpdate in Interactive Mode.

Secunia reported that the vulnerabilities are caused by errors in the AxSysListView32 and AxSysListView32OAA ActiveX controls (NavComUI.dll) when handling the "AnomalyList" and "Anomaly" properties respectively, as they take a VARIANT* as argument.

The security company said its researchers have not found any exploits circulating for these bugs and have not been made aware of any customers affected by the vulnerabilities. The company is crediting Carsten Eiram, a researcher with Secunia, for reporting the bug and working with Symantec on the response.

In May, Symantec warned users that an ActiveX control in its Norton Internet Security product could enable a remote hacker to take over the system. According to a Symantec advisory, an ActiveX control used by Norton Personal Firewall 2004 and Norton Internet Security 2004 contained a buffer overflow vulnerability. Researchers at U.S.-CERT notified Symantec of the vulnerability.

Comment  | 
Print  | 
More Insights
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Nov. 10, 2014
Just 30% of respondents to our new survey say their companies are very or extremely effective at identifying critical data and analyzing it to make decisions, down from 42% in 2013. What gives?
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.