WelcomeEnterpriseSmall BusinessHome & Home OfficePartnersAbout Symantec
May 20, 2004
Symantec Norton AntiVirus 2004 ActiveX Control Vulnerability

Revision History
May 24, 2004 Added CVE Candidate name

Risk Impact

LAC (Little eArth Corporation, Ltd) notified Symantec of a security issue they discovered in an ActiveX control used by Symantec Norton AntiVirus 2004. If properly exploited this vulnerability could allow remote execution of code residing on the local system with privileges of the logged on user, launch of unauthorized popups or a denial of service (DoS) against the Symantec Norton AntiVirus application on the targeted system.

Affected Components
Symantec Norton AntiVirus 2004

LAC notified Symantec of a vulnerability in an ActiveX control used in Symantec Norton AntiVirus 2004. The ActiveX control does not properly verify/validate external input. A malicious individual could potentially exploit this control to launch arbitrary executables of the attacker's choice with user privileges. The vulnerability could also be used to launch an unauthorized URL (pop-up) on the system; or, create a DoS situation causing the Symantec Norton AntiVirus application to freeze.

To successfully launch an executable, the executable program would have to already exist on the local system and the location of the executable known to the attacker. This could limit the potential impact of this type of attack. In all of these types of attacks, the attacker would need to either entice the targeted user to visit a location where the malicious script could be launched or to download and launch the malicious script on their system.

Symantec Response
Symantec verified the issues LAC reported in Symantec Norton AntiVirus 2004. Symantec product engineers have developed a fix and released patches for all impacted product versions through Symantec's LiveUpdate.

Symantec recommends all users of Symantec Norton AntiVirus 2004 update immediately to apply this fix.

Symantec users who normally run manual LiveUpdates will already be protected. However, to ensure all available patches have been properly applied to Symantec products, users should run a manual LiveUpdate as follows:

  • Open any installed Symantec product
  • Click on LiveUpdate in the toolbar
  • Run LiveUpdate until all available Symantec product updates are downloaded and installed

Symantec is not aware of any active exploits for or customer impact from this issue.

As a part of normal user best practice, Symantec recommends a multi-layered approach to security.

Users, at a minimum, should run both a personal firewall and antivirus application with current updates to provide multiple points of detection and protection to both inbound and outbound threats.

Users should keep vendor-supplied patches for all application software and operating systems up-to-date.

Users should be cautious of mysterious attachments and executables delivered via email and be cautious of visiting unknown/untrusted websites or opening unknown URL links.

Do not open unidentified attachments or executables from unknown sources or that you didn't request or were unaware of. Always err on the side of caution. Even if the sender is known, the source address may be spoofed.

If in doubt, contact the sender to confirm they sent it and why before opening the attachment. If still in doubt, delete the attachment without opening it.

The Common Vulnerabilities and Exposures (CVE) initiative has assigned CVE Candidate name CAN-2004-0487 to this issue.

This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.

Symantec appreciates the cooperation of Yuu Arai and the Little eArth Corporation security research team in identifying these issues.

Symantec takes the security and proper functionality of our products very seriously. As founding members of the Organization for Internet Safety (OISafety), Symantec supports and follows the principles of responsible disclosure. Symantec also subscribes to the vulnerability disclosure guidelines outlined by the National Infrastructure Advisory Council (NIAC).

Please contact secure@symantec.com if you feel you have discovered a security issue in a Symantec product. A Symantec Product Security team member will contact you regarding your submission. Symantec strongly recommends using encrypted email for reporting vulnerability information to secure@symantec.com. The Symantec Product Security PGP key can be found at the end of this message.

Symantec has developed a Product Vulnerability Response document outlining the process we follow in addressing suspected vulnerabilities in our products. This document is available below.

PDF Symantec Vulnerability Response Policy PGP Symantec Product Vulnerability Management PGP Key

Copyright © by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from secure@symantec.com.

The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and secure@symantec.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.

Last modified on: Monday, 25-Oct-04 15:29:17