We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
 
75,052 News Articles

Symantec reveals ActiveX bug in Norton range

Windows versions of security software affected

ActiveX vulnerabilities in Norton AntiVirus, Norton Internet Security, Norton SystemWorks and Norton 360 could allow hackers to hijack the Windows PCs the programs are supposed to protect, Symantec has warned.

Ironically, Symantec analysts have both cited the popularity of ActiveX bugs and urged caution when using the controls in comments about other companies' product flaws.

According to alerts released last week by VeriSign's iDefense, the ActiveX control 'SymAData.dll' sports two vulnerabilities that could be used "to execute arbitrary code with the privileges of the currently logged in user" by attackers able to entice victims to malicious websites.

See also:

Symantec Norton 360 2.0 review

Reviews of all Symantec software

Symantec confirmed the vulnerabilities on Wednesday in its own advisory, and said the buggy control has shipped with Windows versions of Norton AntiVirus 2006-2008, Norton Internet Security 2006-2008, Norton SystemWorks 2006-2008 and Norton 360 version 1.0.

While it acknowledged the bugs, Symantec also downplayed the threat, saying that attacks would only succeed from specially crafted sites. "To successfully exploit either vulnerability, an attacker would need to be able to masquerade as the trusted Symantec website, such as through a cross-site scripting attack or DNS poisoning," read the company's advisory.

However, cross-site scripting attacks have become common, and although domain name system (DNS) 'poisoning' - fooling a DNS server into thinking the bogus routing directions it's received are authentic - is less common, it's not unheard of.

Symantec said it was unaware of any attempts to exploit the vulnerabilities.

The flawed ActiveX control is used by Symantec's AutoFix tool, which is included with some of the company's software and may also be downloaded to a PC during a live chat with a Symantec technical support representative. AutoFix diagnoses PC problems and offers up solutions.

Previously, Symantec researchers have called on the company's statistics to point out widespread problems with ActiveX. In February, for example, Oliver Friedrichs, director of the company's security response team, reported ActiveX composed 89 percent of all the browser plug-in vulnerabilities his team had counted in the first half of 2007.

That same month, Symantec joined with the US Computer Emergency Readiness Team (US-CERT) and other security vendors to urge caution when using ActiveX controls after a wave of bugs were revealed in several other software makers' products, including those from Yahoo, Facebook and MySpace.

Symantec has updated the affected consumer security software with new detection definitions designed to block any exploit of the ActiveX flaws, but will not automatically patch everyone's copy of the flawed control.

"An updated (non-vulnerable) version of the AutoFix tool will be automatically installed if customers participate in an online Chat session with Symantec Technical Support," Symantec said. Alternately, users can manually download and install a patched AutoFix from its website.

Dell XP Migration SMB
Dell XP Migration SMB
IDG UK Sites

Lytro Illum release date, price and specs: Light field camera goes 3D

IDG UK Sites

Tim Cook says Apple aims to be best, not first, hinting that iWatch is coming

IDG UK Sites

Twitter - not news

IDG UK Sites

Fun film festival trailer plays with classic movie scenes