Symantec Security Flaw Still A Threat - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Symantec Security Flaw Still A Threat

Security vendor isn't doing enough to inform users about the risks they face, experts charge.

Security experts are sharply criticizing Symantec Inc. for the way it handled a flaw in one of its security services earlier this week.

Independent security researcher Cesar Cerrudo posted an advisory late Sunday night to the security mailing list Full Disclosure that described a buffer overflow problem in Symantec's free online Security Check service, which is used to check systems for common security vulnerabilities and attacks. The flaw resided in an ActiveX control used by Security Check to examine a computer system. A buffer overflow attack on the "Symantec RuFSI Utility Class" control could crash a user's system and let an attacker run software of his or her choice.

Cerrudo didn't directly inform Symantec of the vulnerability, but the security vendor did learn about it from Currudo's posting to the mailing list. Symantec issued its own advisory Monday evening to the security mailing list Bugtraq that said the vendor has fixed the problem and that users who now scan their systems won't be affected by the flaw.

However, ActiveX controls are downloaded onto a user's computer. So users who don't rescan their systems with Security Check and download the new ActiveX control would still have the flawed software on their computers. ActiveX is the name for Microsoft software used to run small programs.

Millions of Symantec customers who used the free Security Check service could still be at risk for attack, security experts say. "I can definitely foresee an attempt to en masse exploit this in the foreseeable future," says Russ Cooper, surgeon general for the security services firm TruSecure Corp. Such an attack could come in the form of a maliciously designed Web site or a virus or worm that attempts to attack the vulnerability.

The flaw also could affect even those who never used Symantec's service. Someone could take a copy of the vulnerable ActiveX control, which contains a digital signature, and use that software to infect others, says Chris Wysopal, director of research and development for security company @Stake Inc. People who visit a Web site that attempts to download the ActiveX control will be asked whether they want to download the app. But the application will appear to be legitimately signed by Symantec, he says. "I think most users would decide its OK to trust the download," he says.

As a result, security experts say Symantec should be doing more to warn users of the security threat. The company isn't making great efforts to warn users that they may have a serious security hole on their computers as a result of using the free security-scanning service. The vendor's home page late Wednesday night contained a security advisory on a Sun Microsystems database buffer overflow vulnerability, but there's no warning about its own ActiveX vulnerability.

As of late Thursday afternoon, three days after its original security advisory, Symantec posted the security advisory about this vulnerability prominently on the vendor's homepage

The vulnerability also isn't mentioned on the vendor's Security Response page, where it usually highlights the latest viruses, worms, and software security vulnerabilities. The advisory for Symantec's own vulnerability is buried three pages deep and titled "Symantec Security Check ActiveX Buffer Overflow."

"Flaws like this are especially embarrassing for security companies," says Pete Lindstrom, director of research for Spire Security. "For a service intended to be used by so many users, and given the business that they are in, you would hope they would step up to the plate and accept their mistake a little more boldly."

Cooper agrees: "I think there definitely needs to be some sort of warning plus advisory on the Symantec home page and again on the Symantec Security Check site. The only reason I can think of as to why they haven't so far is because they feel it would be detrimental to their marketing."

Symantec didn't respond to requests for comment. How many Symantec customers who may still have the vulnerable ActiveX software on their systems remains unclear. The company did issue a press release in December stating that 30 million users have turned to the Symantec Security Check "to identify and address online safety threats to their personal computers."

Symantec did post an advisory to the Bugtraq security mailing list. But the readership of Bugtraq, which is owned by Symantec, is made up of security professionals, not the home users and small businesses most likely to use Symantec's free security checkup service.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
CIOs Face Decisions on Remote Work for Post-Pandemic Future
Joao-Pierre S. Ruth, Senior Writer,  2/19/2021
11 Ways DevOps Is Evolving
Lisa Morgan, Freelance Writer,  2/18/2021
CRM Trends 2021: How the Pandemic Altered Customer Behavior Forever
Jessica Davis, Senior Editor, Enterprise Apps,  2/18/2021
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll