The security vendor acknowledges it could have done a better job of informing customers of a security problem.
Symantec Corp. should have been more aggressive in informing customers of a potential security problem, a top company executive acknowledged Friday. Customers who used the company's online Security Check service before June 24 may have inadvertently opened a security hole on their computers.
Security experts earlier this week criticized the security vendor for not doing enough to inform its home and small-business users that their systems may be at risk (see Symantec Security Flaw Still A Threat).
The problem involves a buffer overflow problem in the Security Check service, which is used to check systems for common security vulnerabilities and attacks. The flaw was in an ActiveX control used by Security Check to examine a computer system. A buffer overflow attack on the "Symantec RuFSI Utility Class" control could crash a user's system and let an attacker run software of his or her choice.
Steve Cullen, senior VP of consumer and client product delivery for Symantec, said Friday that the company didn't do as much as it could have to inform customers about the vulnerability. "We probably hadn't done enough proactive communications, and we've taken steps to clean up that issue," he said.
Symantec posted an advisory on its Security Check Web site and on its home page Thursday that lists software vulnerabilities. It also tells users that they need to either rescan their systems using the Security Check service, which will fix the problem, or use a free tool Symantec has provided that removes the vulnerable ActiveX control from their desktops, Cullen says.
Nearly all of Symantec's ActiveX controls have a security feature that prevents the control from being used by any Web sites other than Symantec's, he says. But this particular ActiveX component lacked that security feature. "We've since gone through all of our ActiveX controls, and they all have that security feature," he says.
That feature is known as SiteLock and is designed to make sure that controls can only be used by Web domains that are trusted by the developer of the ActiveX control.
In an effort to get word out about the vulnerability to the millions of Symantec customers who may now have the faulty software on their systems, Cullen says the company will include information about the vulnerability and its cleanup process in an upcoming Symantec customer E-mail Newsletter. "We're trying to communicate the message to as many people as possible," he says.
Security experts who criticized Symantec's handling of the problem were justified, Cullen says. "I think it's fine for people to call us on that," he says. "And it's important that we remain objective about that. We're being as open and as proactive about this as possible."
[Interop ITX 2017] State Of DevOps ReportThe DevOps movement brings application development and infrastructure operations together to increase efficiency and deploy applications more quickly. But embracing DevOps means making significant cultural, organizational, and technological changes. This research report will examine how and why IT organizations are adopting DevOps methodologies, the effects on their staff and processes, and the tools they are utilizing for the best results.
2017 State of IT ReportIn today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.