Date: 26 February 2007
References: ESB-2007.0128
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
AusCERT Update AU-2007.0007 - [Win]
Additional Symantec Norton products affected by ActiveX control
vulnerability
26 February 2007
AusCERT Update Summary
----------------------
Product: Symantec Norton AntiVirus 2006
Symantec Norton Internet Security 2006
Symantec Norton System Works 2006
Symantec Automated Support Assistant (if installed from
the Symantec support website prior to Aug 2006)
Publisher: Symantec
Operating System: Windows
Impact: Execute Arbitrary Code/Commands
Access: Remote/Unauthenticated
CVE Names: CVE-2006-6490
Ref: ESB-2007.0128
Original Bulletin:
http://www.symantec.com/avcenter/security/Content/2007.02.22.html
Comment: The Symantec advisory below lists their consumer products affected
by the vulnerability previously reported in AusCERT ESB-2007.0128.
- --------------------------BEGIN INCLUDED TEXT--------------------
Symantec Security Advisory
SYM07-002
http://www.symantec.com/avcenter/security/Content/2007.02.22.html
BID 22564
22 Feb, 2007
Stack Overflow in Third-Party ActiveX Controls affects Multiple Vendor Products
Including Some Symantec Consumer Products and Automated Support Assistant
Revision History
None
Severity
High (dependent on configuration and user interaction)
BID22564
http://www.symantec.com/avcenter/security/Content/2007.02.22.html
Remote Access Yes
Local Access No
Authentication Required No
Exploit publicly available No
Overview
Vulnerabilities were identified in third-party trouble-shooting ActiveX
controls, developed by SupportSoft, www.supportsoft.com . Two of these controls
were signed, shipped and installed with the identified versions of Symantec's
consumer products and as part of the Symantec Automated Support Assistant
support tool. The vulnerability identified in the Symantec shipped controls
could potentially result in a stack overflow requiring user interaction to
exploit. If successfully exploited this vulnerability could potentially
compromise a user's system possibly allowing execution of arbitrary code or
unauthorized access to system assets with the permissions of the user's browser.
Supported Symantec Product(s) Affected
Product Solution(s)
Symantec Automated Support Assistant Update Available
Symantec Norton AntiVirus 2006 Update Available
Symantec Norton Internet Security 2006 Update Available
Symantec Norton System Works 2006 Update Available
Symantec Products NOT Affected
Product(s) Version
Symantec 2007 Consumer Products All
Symantec Norton 360
Symantec Corporate and Enterprise Products All
NOTE: Only Symantec Consumer products indicated as affected above shipped
with these vulnerable components. The Symantec Automated Support Assistant
is used by online consumer customer support when a consumer customer visits
the support site requiring assistance.
The Automated Support Assistant tool aids in providing the user with solution
information to their problems. TheSupportSoft ActiveX controls were initially
implemented mid-2005 on Symantec's consumer support site. During the timeframe
up to August 2006, when the non-vulnerable controls were made available,
vulnerable controls could potentially be installed by the Automated Support
Assistant on customer systems running Symantec consumer products and versions
other than those listed above.
See Symantec Response section to determine if your product has a vulnerable
version of the Automated Support Assistant fix tool.
Symantec Corporate and Enterprise products do not ship with these components
and are NOT vulnerable to this issue.
Details
Symantec was initially alerted by Next Generation Security Software (NGSS),
to stack overflow and unauthorized access vulnerabilities identified in two
SupportSoft ActiveX controls, SmartIssue tgctlsi.dll and ScriptRunner
tgctlsr.dll, that Symantec signed and shipped with some of Symantec's 2006
consumer products and used by the Symantec Automated Support Assistant support
tool Symantec provides onits consumer support site.
These SupportSoft ActiveX components did not properly validate external input.
This failure could potentially lead to unauthorized access to system resources
or the possible execution of malicious code with the privileges of the user's
browser, resulting in a potential compromise of the user's system.
Any attempt to exploit these issues would require interactive user involvement.
An attacker would need to be able to effectively entice a user to visit a
malicious web site where their malicious code was hosted or to click on a
malicious URL in any attempt to compromise the user's system. While these
SupportSoft-developed components should also have been effectively site-locked,
which would havefurther reduced the severity, this capability was found to
be improperly implemented in the vulnerable versions.
Symantec Response
Symantec worked closely with SupportSoft to ensure updates were quickly made
available for the identified controls. SupportSoft has posted a Security
Bulletin, http://www.supportsoft.com/support/controls_update.asp, for the
controls Symantec uses and controls used in other products on their support
site, www.supportsoft.com.
Symantec immediately removed the vulnerable controls from its consumer support
site. Symantec engineers tested the updates provided by SupportSoft extensively
and once tested updated the Symantec Automated Support Assistant on Symantec's
support site. Additionally, in November 2006, the vulnerable versions of
these controls were disabled through LiveUpdate for Symantec consumer customers
who regularly run interactive updates to their Symantec applications.
Those Symantec consumer customers who rely solely on Automatic LiveUpdate
would have received an automatic notification to initiate an interactive
LiveUpdate session to obtain all pending updates. To ensure all updates have
been properly retrieved and applied to Symantec consumer products, users
should regularly run an interactive LiveUpdate session as follows:
* Open any installed Symantec consumer product
* Click on LiveUpdate in the GUI toolbar
* Run LiveUpdate until all available Symantec product updates are downloaded
and installed or you are advised that your system has the latest updates
available.
Symantec recommends customers always ensure they have the latest updates to
protect against threats.
Symantec customers who previously downloaded the Symantec Automated Support
Assistant tool beginning in July 2005 and those who have installed versions
of the consumer products indicated above may also go to the Symantec
support site, https://www-secure.symantec.com/techsupp/asa/install.jsp to
ensure they have the updated version of the Automated Support Assistant fix
tool. By downloading the updated version of the Symantec Automated Support
Assistant fix tool, any existing legacy controls are updated with non-vulnerable
versions. Customers, who have received support assistance since August 2006,
will already have the latest non-vulnerable versions of these controls.
Symantec has not seen any active attempts against or customer impact from
these issues.
Mitigation
Symantec Security Response is releasing an AntiVirus Bloodhound definition
Bloodhound.Exploit.119, a heuristic detection and prevention for attempts to
exploit these vulnerable controls. Virus definitions containing this heuristic
will be available through Symantec LiveUpdate or Symantec's Intelligent Updater.
IDS signatures have also been released to detect and block attempts to exploit
this issue. Customers using Symantec Norton Internet Security or Norton
Personal Firewall receive regular signature updates if they run LiveUpdate
automatically. If not using the Automatic LiveUpdate function, Symantec
recommends customers interactively run Symantec LiveUpdate frequently to
ensure they have the most current protection available.
Establishing more secure Internet zone settings for the local user can prohibit
activation of ActiveX controls without the user's consent.
An attacker who successfully exploited this vulnerability could gain the user
rights of the local user. Users whose accounts are configured to have fewer
user rights on the system would be less impacted than users who operate with
administrative privileges.
As always, if previously unknown malicious code were attempted to be distributed
in this manner, Symantec Security Response would react quickly to updated
definitions via LiveUpdate to detect and deter any new threat(s).
Best Practices
As part of normal best practices, Symantec strongly recommends a multi-layered
approach to security:
* Run under the principle of least privilege where possible.
* Keep all operating systems and applications updated with the latest vendor
patches.
* Users, at a minimum, should run both a personal firewall and antivirus
application with current updates to provide multiple points of detection
and protection to both inbound and outbound threats.
* Users should be cautious of mysterious attachments and executables delivered
via email and be cautious of browsing unknown/untrusted websites or clicking
on unknown/untrusted URL links.
* Do not open unidentified attachments or executables from unknown sources
or that you didn't request or were unaware of.
* Always err on the side of caution. Even if the sender is known, the source
address may be spoofed.
* If in doubt, contact the sender to confirm they sent it and why before
opening the attachment. If still in doubt, delete the attachment without
opening it.
CVE
A CVE Candidate CVE-2006-6490 has been assigned. This issue is a candidate
for inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.
Credit:
Symantec has coordinated very closely with SupportSoft to help ensure that
all additional affected vendor customer bases has been provide with information
concerning affected controls and updates to address the vulnerability.
Symantec wants to thank Mark Litchfield of NGS Software Ltd. for the initial
identification and notification of this issue and for the
excellent, in-depth coordination with both Symantec and SupportSoft while
resolving the issue.
Additionally, this issue was independently identified by the analysts at CERT,
in CERT Vulnerability Note VU#441785, who reported their findings to and
worked closely with both Symantec and SupportSoft through to resolution
and by Peter Vreugdenhil, working through iDefense who coordinated with
Symantec as we resolved the issue.
Symantec takes the security and proper functionality of its products very
seriously. As founding members of the Organization for Internet Safety
(OISafety), Symantec follows the principles of responsible disclosure.
Symantec also subscribes to the vulnerability guidelines outlined by the
National Infrastructure Advisory Council (NIAC). Please contact
secure@symantec.com if you feel you have discovered a potential or actual
security issue with a Symantec product. A Symantec Product
Security team member will contact you regarding your submission.
Symantec has developed a Product Vulnerability Handling Process document
outlining the process we follow in addressing suspected vulnerabilities in
our products. We support responsible disclosure of all vulnerability
information in a timely manner to protect Symantec customers and the security
of the Internet as a result of vulnerability. This document is available from
http://www.symantec.com/security/
Symantec strongly recommends using encrypted email for reporting vulnerability
information to secure@symantec.com. The Symantec Product Security PGP key can
be obtained from the location provided above.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBReI7FSh9+71yA2DNAQIuAAP/Ra6vzciqrMYGVkZm6yG1hUHMy8fIhtn3
dZVreNZMTz8ET7L1zAliwLHVp0tJuu/f2Gn2MtcOfKn2ymRWc3dgeNlWM/cHKc6J
KZ90r4wAJ7RNLo1pIbl70BFTyDklviVSdeHow+1HWb/iOqddFBbkpxxKgC9milop
OYiexk7U6w0=
=ygUs
-----END PGP SIGNATURE-----
|