1. Symantec/
  2. Security Response/
  3. Security Updates Detail

Security Advisories Relating to Symantec Products - Symantec Log Viewer JavaScript Injection Vulnerabilities


April 28, 2009

Revision History

Updated Affected Product information to clarify affected products

Risk Impact

Remote AccessNo
Local AccessYes
Authentication RequiredYes
Exploit availableNo


The Log Viewer feature in some Symantec products contains two parsing errors which could be exploited through Java script injection.

Affected Products

Product Version Solution
Norton 360 1.0 Run LiveUpdate in Interactive Mode
Norton Internet Security 2005 through 2008 Run LiveUpdate in Interactive Mode
Symantec AntiVirus Corporate Edition 9.0 MR6 and earlier Update to MR7
Symantec AntiVirus Corporate Edition 10.1 MR7 and earlier Update to MR8
Symantec AntiVirus Corporate Edition 10.2 MR1 and earlier Update to MR2
Symantec Endpoint Protection 11.0 Update to MR1 or later
Symantec Client Security 2.0 MR6 and earlier Update to 2.0 MR7
Symantec Client Security 3.1 MR7 and earlier Update to MR8

Unaffected Products

Product Version
Norton 360 2.0 and later
Norton Internet Security 2009 and later


Next Generation Software notified Symantec that the Symantec Log Viewer (ccLgView.exe) feature used in some Symantec Norton products could be exploited through Javascript injection. Two parsing errors could potentially allow specially crafted email messages to pass a malicious script to the Symantec event log. Symantec Norton products could be exploited by using the View Logs - Email Filtering' option from the Statistics option of the Symantec Log Viewer.

Symantec corporate products do not have this View Logs – Email Filtering option but do install the ccLgView.exe file. Additionally, email information is not stored in the log files viewed using the Symantec Log Viewer in Symantec corporate products.

Symantec Response

Symantec verified that the vulnerabilities exist in the products listed in the Affected Products table above. Updates are available for all impacted products.

This vulnerability can be exploited only if the user views the Email filtering Log when it contains a malicious message.

Symantec is not aware of any customers impacted by these issues, or of any attempts to exploit them.

Although SAV, SCS and SEP do not the expose the ‘View Logs - Email Filtering' option the files are installed on the client system. Symantec recommends that customers update affected versions to avoid potential attempts to exploit these issues.

Updating Norton products

Symantec Norton product users who launch and run LiveUpdate regularly should already have received an update to address this issue. However, to ensure all available updates have been applied, users can manually launch and run LiveUpdate in Interactive mode as follows:

  • Open any installed Norton product
  • Click LiveUpdate
  • Run LiveUpdate until all available product updates are downloaded and installed

Best Practices

As a part of normal best practices, users should keep vendor-supplied patches for all software and operating systems up-to-date. Symantec recommends any affected customers update their product immediately to protect against potential attempts to exploit this vulnerability.

Additional best practices include:
  • Run under the principle of least privilege where possible. Information on creating a limited user account is available on the Microsoft web site.
  • Run both a personal firewall and antivirus application with current updates to provide multiple points of detection.
  • Be cautious of unsolicited attachments and executables delivered via email or via instant messaging.
  • Do not open email from unknown sources.
  • Do not follow links provided by unknown or untrusted sources.
  • Email addresses can easily be spoofed so a message appears to come from someone you know. If a message seems suspicious, contact the sender before opening attachments or following web links.


Symantec thanks Mark Litchfield from Next Generation Security Software (http://www.ngssoftware.com/) for reporting this issue, and coordinating with us on the response.


This issue is a candidate for inclusion in the Common Vulnerabilities and Exposures (CVE) list (http://cve.mitre.org), which standardizes names for security problems. The CVE initiative has assigned Use CVE-2009-1428 to this issue

SecurityFocus, http://www.securityfocus.com, has assigned BID 34669 to this issue


Symantec takes the security and proper functionality of our products very seriously. As founding members of the Organization for Internet Safety (OISafety), Symantec supports and follows responsible disclosure guidelines.
Symantec has developed a Software Security Vulnerability Management Process document outlining the process we follow in addressing suspected vulnerabilities in our products.
Symantec Corporation firmly believes in a proactive approach to secure software development and implements security review into various stages of the software development process. Additionally, Symantec is committed to the security of its products and services as well as to its customers’ data. Symantec is committed to continually improving its software security process.
This document provides an overview of the current Secure Development Lifecycle (SDLC) practice applicable to Symantec’s product and service teams as well as other software security related activities and policies used by such teams. This document is intended as a summary and does not represent a comprehensive list of security testing and practices conducted by Symantec in the software development process.
Please contact secure@symantec.com if you believe you have discovered a security issue in a Symantec product. A member of the Symantec Software Security team will contact you regarding your submission to coordinate any required response. Symantec strongly recommends using encrypted email for reporting vulnerability information to secure@symantec.com.
The Symantec Software Security PGP key can be found at the following location:
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Software Security. Reprinting the whole or part of this alert in any medium other than electronically requires permission from secure@symantec.com.
Last modified on: April 28, 2009
Security Response Blog
The State of Spam