WelcomeEnterpriseSmall BusinessHome & Home OfficePartnersAbout Symantec
March 19, 2004
Symantec Norton Internet Security and Norton AntiSpam Remote Access Vulnerability

Revision History
3/22/2004 - Added CVE Candidate names
4/19/2004 - Added information on additional affected products and fix availability

Risk Impact

NGSsoftware notified Symantec of a security vulnerability NGSsoftware had found in the Symantec Norton Internet Security and Symantec Norton AntiSpam 2004. If properly exploited this vulnerability could allow remote execution of arbitrary code on a targeted system resulting in possible system compromise.

Affected Components
Symantec Norton Internet Security and Professional 2002, 2003, 2004
Symantec Norton Personal Firewall 2003, 2004
Symantec Norton AntiSpam 2004
Symantec Client Firewall 5.01, 5.1.1
Symantec Client Security 1.0

Symantec was alerted to remote access vulnerabilities that NGSsoftware discovered while evaluating Symantec Norton Internet Security 2004 and Symantec Norton AntiSpam 2004. Symantec Norton Internet Security and Symantec Norton AntiSpam 2004 contain ActiveX components that do not properly validate/parse external input. A malicious individual could potentially exploit these weaknesses to launch a local application on the target system and possibly run arbitrary code of their choice on the local system with elevated privileges.

To do this successfully, the attacker would need to either entice the targeted user to visit a location where the malicious code could be launched or to download and launch the malicious code on their system. Successful execution of these security issues could result in compromise of the targeted system.

Symantec Response
Symantec verified the issue reported by NGSsoftware for Symantec Norton AntiSpam 2004 and Symantec Norton Internet Security 2004 and released a fix via Symantec LiveUpdate. Additional review determined the issue NGSsoftware reported for Symantec Norton Internet Security 2004 also impacted additional versions of Symantec Client Firewall products. Symantec product engineers developed fixes for the issue and released patches for all impacted products through Symantec LiveUpdate and technical support channels.

To update retail products via Symantec LiveUpdate, users should:

  • Open any installed Symantec product
  • Click on LiveUpdate in the toolbar
  • Run LiveUpdate until all available Symantec product updates are downloaded and installed

Customers running Symantec Client Firewall or Symantec Client Security should download and apply patches obtained through their appropriate support channels.

Symantec is not aware of any active attempts against or customer impact from this issue.

As a part of normal best practices, Symantec recommends using a multi-layered approach to security. Users, at a minimum, should run both personal firewall and antivirus applications with current updates to provide multiple points of detection and protection to both inbound and outbound threats.

Users should keep vendor-supplied patches for all application software and operating systems up-to-date.

Users should further be wary of mysterious attachments and executables delivered via email and be wary of visiting unknown/untrusted websites.

Do not open attachments or executables from unknown sources. Always err on the side of caution.

Even if the sender is known, be wary of attachments if the sender does not fully explain the attachment content in the body of the email. You do not know the source of the attachment.

If in doubt, contact the sender before opening the attachment. If still in doubt, delete the attachment without opening it.

The Common Vulnerabilities and Exposures (CVE) initiative has assigned the following Candidate names to these issues:

The Symantec Norton AntiSpam issue has been assigned CAN-2004-0363

The Symantec Norton Internet Security issue has been assigned CAN-2004-0364

These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.

Symantec appreciates the cooperation of Mark Litchfield and the NGSsoftware research team in identifying these issues.

Symantec takes the security and proper functionality of our products very seriously. As founding members of the Organization for Internet Safety (OISafety), Symantec supports and follows the principles of responsible disclosure. Symantec also subscribes to the vulnerability disclosure guidelines outlined by the National Infrastructure Advisory Council (NIAC).

Please contact secure@symantec.com if you feel you have discovered a security issue in a Symantec product. A Symantec Product Security team member will contact you regarding your submission. Symantec strongly recommends using encrypted email for reporting vulnerability information to secure@symantec.com. The Symantec Product Security PGP key can be found at the end of this message.

Symantec has developed a Product Vulnerability Response document outlining the process we follow in addressing suspected vulnerabilities in our products. This document is available below.

PDF Symantec Vulnerability Response Policy PGP Symantec Product Vulnerability Management PGP Key

Copyright © by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from secure@symantec.com.

The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and secure@symantec.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.

Last modified on: Monday, 25-Oct-04 15:25:47