Symantec Fixes 'Highly Critical' Bug In Norton - InformationWeek
Software // Enterprise Applications
03:48 PM

Symantec Fixes 'Highly Critical' Bug In Norton

The security company issued an advisory about the vulnerability in two ActiveX controls, as well as a patch for them.

Symantec released a patch for what's being called a "highly critical" bug in two ActiveX controls used in several Norton security products.

The company released an advisory on Thursday that there is an input validation error in two ActiveX controls, which are used in Norton AntiVirus, Norton Internet Security, and Norton System Works. Symantec noted that versions of its AntiVirus Corporate Edition or Symantec Client Security are not affected by the vulnerability.

U.S.-CERT reported that an attacker may be able to execute arbitrary code on an affected system by enticing a user to view a specially crafted html document. Generally, users are duped into either opening a malicious attachment in an e-mail or are lured to a malicious Web page with the infectious code embedded within it.

Symantec patched the flaw, which the company itself said has a "high" risk impact. Secunia, another security vendor, gave it a "highly critical" rating. The fix is available in LiveUpdate in Interactive Mode.

Secunia reported that the vulnerabilities are caused by errors in the AxSysListView32 and AxSysListView32OAA ActiveX controls (NavComUI.dll) when handling the "AnomalyList" and "Anomaly" properties respectively, as they take a VARIANT* as argument.

The security company said its researchers have not found any exploits circulating for these bugs and have not been made aware of any customers affected by the vulnerabilities. The company is crediting Carsten Eiram, a researcher with Secunia, for reporting the bug and working with Symantec on the response.

In May, Symantec warned users that an ActiveX control in its Norton Internet Security product could enable a remote hacker to take over the system. According to a Symantec advisory, an ActiveX control used by Norton Personal Firewall 2004 and Norton Internet Security 2004 contained a buffer overflow vulnerability. Researchers at U.S.-CERT notified Symantec of the vulnerability.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
IT Success = Storage & Data Center Performance
Balancing legacy infrastructure with emerging technologies requires laying a solid foundation that delivers flexibility, scalability, and efficiency. Learn what the most pressing issues are, how to incorporate advances like software-defined storage, and strategies for streamlining the data center.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll