1. Symantec/
  2. Security Response/
  3. Security Updates Detail

Security Advisories Relating to Symantec Products - Norton Download Manager DLL Loading


January 17, 2017

Overview | Issues | Affected Products | Mitigation | Best Practices | Acknowledgements | Revisions




Symantec has released an update to address a DLL loading vulnerability detected in the Norton Download Manager for affected products


Highest severity issue: Medium
Number of issues: 1


< Back to top




This update applies to the following issues:




Norton Download Manager DLL Loading





< Back to top




Symantec has verified this issue in Norton Download Manager 5.6 and prior versions. Symantec has addressed the issue in current versions of Norton Download Manager as outlined below.



The following products are affected. No other Symantec products or Norton products other than those listed here use the Norton Download Manager and are not impacted by this issue




Norton Family






See Mitigation Section below for update details

Norton AntiVirus

Norton AntiVirus Basic

Norton Internet Security

Norton 360

Norton 360 Premier

Norton Security

Norton Security with Backup

Norton Security Standard

Norton Security Deluxe

Norton Security Premium

Symantec Endpoint Protection Cloud



< Back to top





Norton Download Manager DLL Loading


BID: 95444

Severity: Medium (CVSSv3: 4.6) AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L

Impact: Code execution

Exploitation: None


The Norton Download Manager is a small executable stub initially downloaded when a user visits the Norton portal to download a trial or licensed version of Norton security products and Norton Family. The Norton Download Manager is susceptible to a potential DLL loading issue. Ultimately, this issue is caused by a failure of the Norton Download Manager to use an absolute path when loading required DLLs during process startup. This can cause the default DLL search logic to be followed when looking for a required DLL. This could allow unauthorized execution provided a specifically-crafted DLL can be successfully substituted for an authorized DLL in the Norton Download Manager search path (normally the user’s browser download folder). If successfully targeted, the specifically-formatted substitute DLL would execute with the privileges of the logged-on user. In currently supported operating systems, these privileges would be at the user level for the initial actions of the Norton Download Manager as it does not require or request elevated privileges to function.


A remote attack against the Norton Download Manager would need to leverage known methods of trust exploitations in an attempt to compromise an authorized user. Such attempts generally require enticing an authorized user to visit a malicious or compromised website for a drive-by download or to click on a malicious link in an HTTP email to download malicious content.



< Back to top



Norton Download Manager is not updated though Liveupdate. Customers first download Norton Download Manager during the initial install of a Norton security product and it is normally a run-once application to manage the download and install of the selected Norton product. There is some potential that users may need to run a previously downloaded version of Norton Download Manager in the following scenarios:

  • Norton Download Manager has not been run since it was initially downloaded from the Norton portal
  • Norton Download Manager failed to download the full product installer
  • The full product installer itself failed during installation

The upgrade solution for impacted customers is to:

  • Delete any previously downloaded version of Norton Download Manager, version 5.6 or earlier
  • Download the updated version of Norton Download Manager currently posted to the Norton portal that is associated with their Norton security product

Customers and users who want to download a trial version of a Norton security or Norton Family product can visit the Norton website. Once there, navigate to PRODUCT & SERVICES and select Free Trials.

Customers who want to download a licensed Norton security or Norton Family product can log into their Norton account and click on Download.



< Back to top




Symantec recommends the following measures to reduce the risk of attack:

  • Restrict access to administrative or management systems to authorized privileged users.
  • Restrict remote access to trusted/authorized systems only.
  • Users should have UAC enabled and never use a browser while running with elevated privileges to limit the impact of potential exploit attempts.
  • Keep all operating systems and applications current with vendor patches.
  • Follow a multi-layered approach to security. At a minimum, run both firewall and anti-malware applications to provide multiple points of detection and protection to both inbound and outbound threats.



< Back to top




  • Sachin M. Wagh, aka tiger_tigerboy (CVE-2016-6592)
  • Praveen Singh (CVE-2016-6592)
  • Takashi Yoshikawa, Mitsui Bussan Secure Directions working with JP CERT (CVE-2016-6592)



< Back to top




  • January 23, 2017: Updated acknowledgements for clarification
  • March 6, 2017: Cosmetic updates to advisory



< Back to top



Symantec takes the security and proper functionality of our products very seriously. As founding members of the Organization for Internet Safety (OISafety), Symantec supports and follows responsible disclosure guidelines.
Symantec has developed a Software Security Vulnerability Management Process document outlining the process we follow in addressing suspected vulnerabilities in our products.
Symantec Corporation firmly believes in a proactive approach to secure software development and implements security review into various stages of the software development process. Additionally, Symantec is committed to the security of its products and services as well as to its customers’ data. Symantec is committed to continually improving its software security process.
This document provides an overview of the current Secure Development Lifecycle (SDLC) practice applicable to Symantec’s product and service teams as well as other software security related activities and policies used by such teams. This document is intended as a summary and does not represent a comprehensive list of security testing and practices conducted by Symantec in the software development process.
Please contact secure@symantec.com if you believe you have discovered a security issue in a Symantec product. A member of the Symantec Software Security team will contact you regarding your submission to coordinate any required response. Symantec strongly recommends using encrypted email for reporting vulnerability information to secure@symantec.com.
The Symantec Software Security PGP key can be found at the following location:
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Software Security. Reprinting the whole or part of this alert in any medium other than electronically requires permission from secure@symantec.com.
Last modified on: January 17, 2017
Security Response Blog
The State of Spam