ActiveX vulnerabilities in Norton AntiVirus, Norton Internet Security, Norton SystemWorks and Norton 360 could allow hackers to hijack the Windows PCs the programs are supposed to protect, Symantec has warned.
Ironically, Symantec analysts have both cited the popularity of ActiveX bugs and urged caution when using the controls in comments about other companies' product flaws.
According to alerts released last week by VeriSign's iDefense, the ActiveX control 'SymAData.dll' sports two vulnerabilities that could be used "to execute arbitrary code with the privileges of the currently logged in user" by attackers able to entice victims to malicious websites.
Symantec confirmed the vulnerabilities on Wednesday in its own advisory, and said the buggy control has shipped with Windows versions of Norton AntiVirus 2006-2008, Norton Internet Security 2006-2008, Norton SystemWorks 2006-2008 and Norton 360 version 1.0.
While it acknowledged the bugs, Symantec also downplayed the threat, saying that attacks would only succeed from specially crafted sites. "To successfully exploit either vulnerability, an attacker would need to be able to masquerade as the trusted Symantec website, such as through a cross-site scripting attack or DNS poisoning," read the company's advisory.
However, cross-site scripting attacks have become common, and although domain name system (DNS) 'poisoning' - fooling a DNS server into thinking the bogus routing directions it's received are authentic - is less common, it's not unheard of.
Symantec said it was unaware of any attempts to exploit the vulnerabilities.
The flawed ActiveX control is used by Symantec's AutoFix tool, which is included with some of the company's software and may also be downloaded to a PC during a live chat with a Symantec technical support representative. AutoFix diagnoses PC problems and offers up solutions.
Previously, Symantec researchers have called on the company's statistics to point out widespread problems with ActiveX. In February, for example, Oliver Friedrichs, director of the company's security response team, reported ActiveX composed 89 percent of all the browser plug-in vulnerabilities his team had counted in the first half of 2007.
That same month, Symantec joined with the US Computer Emergency Readiness Team (US-CERT) and other security vendors to urge caution when using ActiveX controls after a wave of bugs were revealed in several other software makers' products, including those from Yahoo, Facebook and MySpace.
Symantec has updated the affected consumer security software with new detection definitions designed to block any exploit of the ActiveX flaws, but will not automatically patch everyone's copy of the flawed control.
"An updated (non-vulnerable) version of the AutoFix tool will be automatically installed if customers participate in an online Chat session with Symantec Technical Support," Symantec said. Alternately, users can manually download and install a patched AutoFix from its website.