Low - Medium
A vulnerability has been discovered in Norton AntiVirus that can cause the host system to crash.
NAV 2002, 2003
Norton AntiVirus Corporate Edition version 7.61
Symantec Anti Virus Corporate Edition version 8.01
Symantec Anti Virus Corporate Edition version 8.1
A vulnerability has been discovered in the Auto-protect component of Norton AntiVirus. Users with access to a system can craft a buffer, send it to Auto-Protect and cause the system to crash. Exploit code has been created as a proof on concept for this vulnerability.
Symantec considers this to be a low to medium threat. Access to the system must be obtained before the vulnerability can be exploited.
Mitigating the risk - Microsoft Windows systems ship with the guest user account activated. It is recommended that the system administrator or user disable or at least password protect this account. Some level of system access is required to exploit the vulnerability. By restricting access to the system running vulnerable code will substantially reduce the risk from this and many other vulnerabilities.
As is always recommended for security, users are encouraged to not grant system access to non-trusted people. Reasonable caution should also be exercised when opening email attachments, downloading and running executables, or other similar type activities from the Internet.
Patches that address this vulnerability are available for Symantec AV 8.01 build 446, Symantec AV 8.1 build 825, NAVCE 7.61 build 46a and NAVCE 7.61 build 50.
Note: Symantec AV 8.01 build 457 and Symantec AV 8.11 build 314 and later have incorporated this fix and do not need to be patched.
Installing the patch
Two versions of the patch are available for each of Symantec AV versions 8.01 build 446, Symantec AV 8.1 build 825, NAVCE 7.61 build 46a and NAVCE 7.61 build 50. For Windows 95, 98 and Me, use the version whose file name ends with "Win9x.zip." For Windows NT, 2000, XP, and 2003 servers and clients, use the version whose file name ends with "only.zip." The patch consists of a single executable to be run on each computer.
For Windows NT, 2000, XP, and 2003, you must be logged in as the local administrator account to apply the patch.
After the patch for Windows 9x/Me clients finishes, a prompt to restart the computer appears. This restart is mandatory. Windows NT, 2000, XP and 2003 clients and servers do not require a restart.
Patches for Symantec AV 8.01 build 446:
Patches for Symantec AV 8.1 build 825:
Patches for NAVCE 7.61 build 50:
Patches for NAVCE 7.61 build 46a:
Note: If you have a version of Symantec AV or NAVCE that is not one of the specific builds listed, you cannot install the patch. For information on obtaining the specified builds, read the document How to obtain an update or an upgrade for your Symantec corporate product.
If you run the patch on an installation that cannot be patched, or on a computer that does not have Symantec AV or NAVCE installed, you will see an error message stating "Old file cannot be found."
Mitigating the risk
By default, the guest user account is enabled on some Microsoft Windows systems. Symantec recommends that the system administrator or user disable this account, or at least set a password for it. To exploit the vulnerability requires some level of system access. Restricting access to the system will substantially reduce the risk from this and many other vulnerabilities.
As is always recommended for security, encourage users not to grant system access to non-trusted people, and to exercise caution opening email attachments, downloading and running executables, or performing other similar activities involving the Internet.
Symantec takes the security and proper functionality of our products very seriously. As founding members of the Organization for Internet Safety (OISafety), Symantec supports and follows the principles of responsible disclosure. Symantec also subscribes to the vulnerability disclosure guidelines outlined by the National Infrastructure Advisory Council (NIAC).
Please contact firstname.lastname@example.org if you feel you have discovered a security issue in a Symantec product. A Symantec Product Security team member will contact you regarding your submission. Symantec strongly recommends using encrypted email for reporting vulnerability information to email@example.com. The Symantec Product Security PGP key can be found at the end of this message.
Symantec has developed a Product Vulnerability Response document outlining the process we follow in addressing suspected vulnerabilities in our products. This document is available below.
Copyright © by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from firstname.lastname@example.org.
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Symantec, Symantec products, Symantec Security Response, and email@example.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.
Last modified on: Wednesday, 26-Jan-05 16:09:42