
             __________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

              Norton AntiVirus 2004 ActiveX Control Vulnerability
                     [Symantec Security Response SYM04-009]

May 21, 2004 18:00 GMT                                            Number O-149
______________________________________________________________________________
PROBLEM:       A Symantec Norton AntiVirus 2004 ActiveX control does not 
               properly verify/validate external input. 
PLATFORM:      Symantec Norton AntiVirus 2004 
DAMAGE:        Allows remote execution of code on a local system with 
               privileges of the logged on user. It may also result in a DoS 
               against the Symantec Norton AntiVirus application. 
SOLUTION:      Install patches through Symamtec’s LiveUpdate using 
               instructions provided in SYM04-009. 
______________________________________________________________________________
VULNERABILITY  The risk is MEDIUM. An attacker must entice a user to execute 
ASSESSMENT:    attacker’s script. Note that if your organization runs the 
               automated Symantec Live Update program, your systems are most 
               likely already protected. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/o-149.shtml 
 ORIGINAL BULLETIN:  http://securityresponse.symantec.com/avcenter/security/
                     Content/2004.05.20.html  
______________________________________________________________________________
[***** Start Symantec Security Response SYM04-009 *****]

SYM04-009 
May 20, 2004 
Symantec Norton AntiVirus 2004 ActiveX Control Vulnerability 

Revision History  
None

Risk Impact       
Medium 

Overview
LAC (Little eArth Corporation, Ltd) notified Symantec of a security issue they 
discovered in an ActiveX control used by Symantec Norton AntiVirus 2004. If 
properly exploited this vulnerability could allow remote execution of code 
residing on the local system with privileges of the logged on user, launch of 
unauthorized popups or a denial of service (DoS) against the Symantec Norton 
AntiVirus application on the targeted system. 

Affected Components   
Symantec Norton AntiVirus 2004 

Details
LAC notified Symantec of a vulnerability in an ActiveX control used in Symantec 
Norton AntiVirus 2004. The ActiveX control does not properly verify/validate 
external input. A malicious individual could potentially exploit this control 
to launch arbitrary executables of the attacker's choice with user privileges. 
The vulnerability could also be used to launch an unauthorized URL (pop-up) on 
the system; or, create a DoS situation causing the Symantec Norton AntiVirus 
application to freeze.

To successfully launch an executable, the executable program would have to 
already exist on the local system and the location of the executable known 
to the attacker. This could limit the potential impact of this type of attack. 
In all of these types of attacks, the attacker would need to either entice the 
targeted user to visit a location where the malicious script could be launched 
or to download and launch the malicious script on their system. 

Symantec Response
Symantec verified the issues LAC reported in Symantec Norton AntiVirus 2004. 
Symantec product engineers have developed a fix and released patches for all 
impacted product versions through Symantec's LiveUpdate.

Symantec recommends all users of Symantec Norton AntiVirus 2004 update immediately 
to apply this fix.

Symantec users who normally run manual LiveUpdates will already be protected. 
However, to ensure all available patches have been properly applied to Symantec 
products, users should run a manual LiveUpdate as follows: 

-Open any installed Symantec product 
-Click on LiveUpdate in the toolbar 
-Run LiveUpdate until all available Symantec product updates are downloaded and 
 installed 

Symantec is not aware of any active exploits for or customer impact from this 
issue.

As a part of normal user best practice, Symantec recommends a multi-layered 
approach to security.

Users, at a minimum, should run both a personal firewall and antivirus 
application with current updates to provide multiple points of detection and 
protection to both inbound and outbound threats.

Users should keep vendor-supplied patches for all application software and 
operating systems up-to-date.

Users should be cautious of mysterious attachments and executables delivered 
via email and be cautious of visiting unknown/untrusted websites or opening 
unknown URL links.

Do not open unidentified attachments or executables from unknown sources or 
that you didn't request or were unaware of. Always err on the side of caution. 
Even if the sender is known, the source address may be spoofed.

If in doubt, contact the sender to confirm they sent it and why before opening 
the attachment. If still in doubt, delete the attachment without opening it. 

CVE
A CVE candidate number has been requested from the Common Vulnerabilities and 
Exposures (CVE) initiative. This advisory will be revised appropriately when 
received.

This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which 
standardizes names for security problems. 

Credit
Symantec appreciates the cooperation of Yuu Arai and the Little eArth Corporation 
security research team in identifying these issues. 

Symantec Product Security Contact Information
Symantec takes the security and proper functionality of its products very 
seriously. As founding members in the Organization for Internet Safety, 
Symantec follows the process of responsible disclosure. Symantec also subscribes 
to the vulnerability guidelines outlined by the National Infrastructure 
Advisory Council (NIAC). Please contact secure@symantec.com if you feel you have 
discovered a potential or actual security issue with a Symantec product.

Symantec strongly recommends using encrypted email for reporting vulnerability 
information to secure@symantec.com. The Symantec Product Security PGP key can 
be obtained here. 


--------------------------------------------------------------------------------

Copyright (c) 2004 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is 
not edited in any way unless authorized by Symantec Security Response. Reprinting 
the whole or part of this alert in any medium other than electronically requires 
permission from symsecurity@symantec.com.

Disclaimer
The information in the advisory is believed to be accurate at the time of 
publishing based on currently available information. Use of the information 
constitutes acceptance for use in an AS IS condition. There are no warranties 
with regard to this information. Neither the author nor the publisher accepts 
any liability for any direct, indirect, or consequential loss or damage arising 
from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and SymSecurity are 
registered trademarks of Symantec Corp. and/or affiliated companies in the 
United States and other countries. All other registered and unregistered trademarks 
represented in this document are the sole property of their respective companies/
owners. 

Last modified on: Thursday, 20-May-04 15:34:54


[***** End Symantec Security Response SYM04-009 *****]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Symantec for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

O-139: Apple Mac OS X AppleFileServer Authentication Vulnerability
O-140: Microsoft HCP Protocol URL Validation Vulnerability
O-141: Symantec Client Firewall Remote Access Vulnerabilities
O-142: Hewlett Packaged HP-UX dtlogin Vulnerability
O-143: Gnome Toolkit (GTK+) Support Libraries Vulnerability
O-144: Sun ypserv and ypxfrd Vulnerabilities
O-145: Red Hat Updated Kernel Packages for Enterprise Linux 3
O-146: kdelibs Package Vulnerabilities
O-147: Linux CVS Server Heap Overflow Vulnerability
O-148: Linux Neon and Cadaver Buffer Overflow Vulnerability