1. /
  2. Security Response/
  3. Security Updates Detail

Security Advisories Relating to Symantec Products - Symantec Log Viewer JavaScript Injection Vulnerabilities

SYM09-006

April 28, 2009

Revision History

Updated Affected Product information to clarify affected products

Risk Impact

Low
Remote AccessNo
Local AccessYes
Authentication RequiredYes
Exploit availableNo

Overview

The Log Viewer feature in some Symantec products contains two parsing errors which could be exploited through Java script injection.

Affected Products

Product Version Solution
Norton 360 1.0 Run LiveUpdate in Interactive Mode
Norton Internet Security 2005 through 2008 Run LiveUpdate in Interactive Mode
Symantec AntiVirus Corporate Edition 9.0 MR6 and earlier Update to MR7
Symantec AntiVirus Corporate Edition 10.1 MR7 and earlier Update to MR8
Symantec AntiVirus Corporate Edition 10.2 MR1 and earlier Update to MR2
Symantec Endpoint Protection 11.0 Update to MR1 or later
Symantec Client Security 2.0 MR6 and earlier Update to 2.0 MR7
Symantec Client Security 3.1 MR7 and earlier Update to MR8

Unaffected Products

Product Version
Norton 360 2.0 and later
Norton Internet Security 2009 and later

Details

Next Generation Software notified Symantec that the Symantec Log Viewer (ccLgView.exe) feature used in some Symantec Norton products could be exploited through Javascript injection. Two parsing errors could potentially allow specially crafted email messages to pass a malicious script to the Symantec event log. Symantec Norton products could be exploited by using the View Logs - Email Filtering' option from the Statistics option of the Symantec Log Viewer.

Symantec corporate products do not have this View Logs – Email Filtering option but do install the ccLgView.exe file. Additionally, email information is not stored in the log files viewed using the Symantec Log Viewer in Symantec corporate products.

Symantec Response

Symantec verified that the vulnerabilities exist in the products listed in the Affected Products table above. Updates are available for all impacted products.

This vulnerability can be exploited only if the user views the Email filtering Log when it contains a malicious message.

Symantec is not aware of any customers impacted by these issues, or of any attempts to exploit them.

Although SAV, SCS and SEP do not the expose the ‘View Logs - Email Filtering' option the files are installed on the client system. Symantec recommends that customers update affected versions to avoid potential attempts to exploit these issues.

Updating Norton products

Symantec Norton product users who launch and run LiveUpdate regularly should already have received an update to address this issue. However, to ensure all available updates have been applied, users can manually launch and run LiveUpdate in Interactive mode as follows:

  • Open any installed Norton product
  • Click LiveUpdate
  • Run LiveUpdate until all available product updates are downloaded and installed

Best Practices

As a part of normal best practices, users should keep vendor-supplied patches for all software and operating systems up-to-date. Symantec recommends any affected customers update their product immediately to protect against potential attempts to exploit this vulnerability.

Additional best practices include:
  • Run under the principle of least privilege where possible. Information on creating a limited user account is available on the Microsoft web site.
  • Run both a personal firewall and antivirus application with current updates to provide multiple points of detection.
  • Be cautious of unsolicited attachments and executables delivered via email or via instant messaging.
  • Do not open email from unknown sources.
  • Do not follow links provided by unknown or untrusted sources.
  • Email addresses can easily be spoofed so a message appears to come from someone you know. If a message seems suspicious, contact the sender before opening attachments or following web links.

Credit

Symantec thanks Mark Litchfield from Next Generation Security Software (http://www.ngssoftware.com/) for reporting this issue, and coordinating with us on the response.

References

This issue is a candidate for inclusion in the Common Vulnerabilities and Exposures (CVE) list (http://cve.mitre.org), which standardizes names for security problems. The CVE initiative has assigned Use CVE-2009-1428 to this issue

SecurityFocus, http://www.securityfocus.com, has assigned BID 34669 to this issue
Symantec takes the security and proper functionality of our products very seriously. As founding members of the Organization for Internet Safety (OISafety), Symantec supports and follows responsible disclosure guidelines.
Please contact secure@symantec.com if you feel you have discovered a security issue in a Symantec product. A member of the Symantec Product Security team will contact you regarding your submission to coordinate any required response. Symantec strongly recommends using encrypted email for reporting vulnerability information to secure@symantec.com. The Symantec Product Security PGP key can be found at the location below.
Symantec has developed a Product Vulnerability Response document outlining the process we follow in addressing suspected vulnerabilities in our products. This document is available below.

Copyright (c) by Symantec Corp.

Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Product Security. Reprinting the whole or part of this alert in any medium other than electronically requires permission from secure@symantec.com

Disclaimer

The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Symantec, Symantec products, Symantec Product Security, and secure@symantec.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.
* Signature names may have been updated to comply with an updated IPS Signature naming convention. See http://www.symantec.com/business/support/index?page=content&id=TECH152794&key=54619&actp=LIST for more information.
Last modified on: April 28, 2009
Security Response Blog
The State of Spam