Security vendor isn't doing enough to inform users about the risks they face, experts charge.
Security experts are sharply criticizing Symantec Inc. for the way it handled a flaw in one of its security services earlier this week.
Independent security researcher Cesar Cerrudo posted an advisory late Sunday night to the security mailing list Full Disclosure that described a buffer overflow problem in Symantec's free online Security Check service, which is used to check systems for common security vulnerabilities and attacks. The flaw resided in an ActiveX control used by Security Check to examine a computer system. A buffer overflow attack on the "Symantec RuFSI Utility Class" control could crash a user's system and let an attacker run software of his or her choice.
Cerrudo didn't directly inform Symantec of the vulnerability, but the security vendor did learn about it from Currudo's posting to the mailing list. Symantec issued its own advisory Monday evening to the security mailing list Bugtraq that said the vendor has fixed the problem and that users who now scan their systems won't be affected by the flaw.
However, ActiveX controls are downloaded onto a user's computer. So users who don't rescan their systems with Security Check and download the new ActiveX control would still have the flawed software on their computers. ActiveX is the name for Microsoft software used to run small programs.
Millions of Symantec customers who used the free Security Check service could still be at risk for attack, security experts say. "I can definitely foresee an attempt to en masse exploit this in the foreseeable future," says Russ Cooper, surgeon general for the security services firm TruSecure Corp. Such an attack could come in the form of a maliciously designed Web site or a virus or worm that attempts to attack the vulnerability.
The flaw also could affect even those who never used Symantec's service. Someone could take a copy of the vulnerable ActiveX control, which contains a digital signature, and use that software to infect others, says Chris Wysopal, director of research and development for security company @Stake Inc. People who visit a Web site that attempts to download the ActiveX control will be asked whether they want to download the app. But the application will appear to be legitimately signed by Symantec, he says. "I think most users would decide its OK to trust the download," he says.
As a result, security experts say Symantec should be doing more to warn users of the security threat. The company isn't making great efforts to warn users that they may have a serious security hole on their computers as a result of using the free security-scanning service. The vendor's home page late Wednesday night contained a security advisory on a Sun Microsystems database buffer overflow vulnerability, but there's no warning about its own ActiveX vulnerability.
As of late Thursday afternoon, three days after its original security advisory, Symantec posted the security advisory about this vulnerability prominently on the vendor's homepage
The vulnerability also isn't mentioned on the vendor's Security Response page, where it usually highlights the latest viruses, worms, and software security vulnerabilities. The advisory for Symantec's own vulnerability is buried three pages deep and titled "Symantec Security Check ActiveX Buffer Overflow."
"Flaws like this are especially embarrassing for security companies," says Pete Lindstrom, director of research for Spire Security. "For a service intended to be used by so many users, and given the business that they are in, you would hope they would step up to the plate and accept their mistake a little more boldly."
Cooper agrees: "I think there definitely needs to be some sort of warning plus advisory on the Symantec home page and again on the Symantec Security Check site. The only reason I can think of as to why they haven't so far is because they feel it would be detrimental to their marketing."
Symantec didn't respond to requests for comment. How many Symantec customers who may still have the vulnerable ActiveX software on their systems remains unclear. The company did issue a press release in December stating that 30 million users have turned to the Symantec Security Check "to identify and address online safety threats to their personal computers."
Symantec did post an advisory to the Bugtraq security mailing list. But the readership of Bugtraq, which is owned by Symantec, is made up of security professionals, not the home users and small businesses most likely to use Symantec's free security checkup service.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
Digital Transformation Myths & TruthsTransformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.