A security group, The Digital Pranksters, reported an issue they discovered in Symantec's Norton Internet Security product. The URL in the return message from a site on the blocked list in the Norton Parental Control feature can allow an unauthorized script to run on the client system.
Symantec's Norton Internet Security 2003
Symantec's Norton Internet Security 2004
Symantec's Norton Internet Security blocks inappropriate web content to help parents keep their children safe from inappropriate material while online. The Norton Parental Control blocks access to newsgroups and Web sites that may not be suitable for children. When a link is accessed or followed to one of the sites on the blocked list, Norton Internet Security returns a message stating that the site is restricted and has been blocked. The returned message includes the URL of the restricted site and is presented in a separate browser window Norton Internet Security opens on the client system. Digital Pranksters reported that they were able to supply a URL from a blocked site that contained an additional unauthorized script embedded in the URL. This script displayed in the blocked access message window on the client system.
Symantec has verified this issue. There is a bug in the way Norton Internet Security is validating the content it returns in the informational page. This is being fixed and will be forthcoming in a future LiveUpdate to Norton Internet Security products.
The risk presented by this bug is very low to non-existent. Any unauthorized script returned in the blocked site URL runs in the context of the informational window that Norton Internet Security opens on the client system. This is a very restricted environment providing no access to the client system outside of the display window or any unauthorized information from the client system to be sent out. While it presents little risk to the client system, it is unwarranted action that is being addressed.
Symantec takes any potential security issues with Symantec products very seriously. While the issue described by the Digital Pranksters applies only to the subset of Web sites contained in the Norton Internet Security Block Site list, there are many other malicious Web sites on the Internet and many ways of enticing a careless surfer to visit such a site. Symantec recommends the following best practices as part of a normal security posture:
- Keep vendor-supplied security patches and updates for all application software and operating systems current.
- Run current Anti-Virus/Firewall applications and keep the definitions updated. Systems should be scanned on a regular basis.
- Be wary of attachments delivered via email. Especially ones with .vbs, .bat, .exe, .pif and .scr file extensions that are commonly used to spread viruses, worms, and trojans.
- Even if the sender is known, users should be wary of attachments or unknown files if the sender does not thoroughly explain the content in the body of the email. The source of the original attachment is often unknown.
- If in doubt, users should contact the sender before opening the attachment or downloading the file to see if, in fact, they did intend to send it. If there is still doubt, users should delete the document in question without opening it.
- If you intend to download an attachment, download to a separate folder and scan prior to opening.
- Practice safe surfing.
Symantec takes the security and proper functionality of our products very seriously. Symantec appreciates the coordination of Digital Pranksters security team in identifying and providing details of this area of concern as well as working closely with Symantec to properly address the issue.
Symantec takes the security and proper functionality of our products very seriously. As founding members of the Organization for Internet Safety (OISafety), Symantec supports and follows the principles of responsible disclosure. Symantec also subscribes to the vulnerability disclosure guidelines outlined by the National Infrastructure Advisory Council (NIAC).
Please contact email@example.com if you feel you have discovered a security issue in a Symantec product. A Symantec Product Security team member will contact you regarding your submission. Symantec strongly recommends using encrypted email for reporting vulnerability information to firstname.lastname@example.org. The Symantec Product Security PGP key can be found at the end of this message.
Symantec has developed a Product Vulnerability Response document outlining the process we follow in addressing suspected vulnerabilities in our products. This document is available below.
Copyright (c) 2009 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from email@example.com.
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Symantec, Symantec products, Symantec Security Response, and firstname.lastname@example.org are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.
Last modified on: Monday, 25-Oct-04 22:15:23