The security company issued an advisory about the vulnerability in two ActiveX controls, as well as a patch for them.
Symantec released a patch for what's being called a "highly critical" bug in two ActiveX controls used in several Norton security products.
The company released an advisory on Thursday that there is an input validation error in two ActiveX controls, which are used in Norton AntiVirus, Norton Internet Security, and Norton System Works. Symantec noted that versions of its AntiVirus Corporate Edition or Symantec Client Security are not affected by the vulnerability.
U.S.-CERT reported that an attacker may be able to execute arbitrary code on an affected system by enticing a user to view a specially crafted html document. Generally, users are duped into either opening a malicious attachment in an e-mail or are lured to a malicious Web page with the infectious code embedded within it.
Symantec patched the flaw, which the company itself said has a "high" risk impact. Secunia, another security vendor, gave it a "highly critical" rating. The fix is available in LiveUpdate in Interactive Mode.
Secunia reported that the vulnerabilities are caused by errors in the AxSysListView32 and AxSysListView32OAA ActiveX controls (NavComUI.dll) when handling the "AnomalyList" and "Anomaly" properties respectively, as they take a VARIANT* as argument.
The security company said its researchers have not found any exploits circulating for these bugs and have not been made aware of any customers affected by the vulnerabilities. The company is crediting Carsten Eiram, a researcher with Secunia, for reporting the bug and working with Symantec on the response.
In May, Symantec warned users that an ActiveX control in its Norton Internet Security product could enable a remote hacker to take over the system. According to a Symantec advisory, an ActiveX control used by Norton Personal Firewall 2004 and Norton Internet Security 2004 contained a buffer overflow vulnerability. Researchers at U.S.-CERT notified Symantec of the vulnerability.
Building A Mobile Business MindsetAmong 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.
InformationWeek Must Reads Oct. 21, 2014InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.