May 20, 2004
Symantec Norton AntiVirus 2004 ActiveX Control Vulnerability
May 24, 2004 – Added CVE Candidate name
LAC (Little eArth Corporation, Ltd) notified Symantec of a security issue they discovered in an ActiveX control used by Symantec Norton AntiVirus 2004. If properly exploited this vulnerability could allow remote execution of code residing on the local system with privileges of the logged on user, launch of unauthorized popups or a denial of service (DoS) against the Symantec Norton AntiVirus application on the targeted system.
Symantec Norton AntiVirus 2004
LAC notified Symantec of a vulnerability in an ActiveX control used in Symantec Norton AntiVirus 2004. The ActiveX control does not properly verify/validate external input. A malicious individual could potentially exploit this control to launch arbitrary executables of the attacker's choice with user privileges. The vulnerability could also be used to launch an unauthorized URL (pop-up) on the system; or, create a DoS situation causing the Symantec Norton AntiVirus application to freeze.
To successfully launch an executable, the executable program would have to already exist on the local system and the location of the executable known to the attacker. This could limit the potential impact of this type of attack. In all of these types of attacks, the attacker would need to either entice the targeted user to visit a location where the malicious script could be launched or to download and launch the malicious script on their system.
Symantec verified the issues LAC reported in Symantec Norton AntiVirus 2004. Symantec product engineers have developed a fix and released patches for all impacted product versions through Symantec's LiveUpdate.
Symantec recommends all users of Symantec Norton AntiVirus 2004 update immediately to apply this fix.
Symantec users who normally run manual LiveUpdates will already be protected. However, to ensure all available patches have been properly applied to Symantec products, users should run a manual LiveUpdate as follows:
Open any installed Symantec product
Click on LiveUpdate in the toolbar
Run LiveUpdate until all available Symantec product updates are downloaded and installed
Symantec is not aware of any active exploits for or customer impact from this issue.
As a part of normal user best practice, Symantec recommends a multi-layered approach to security.
Users, at a minimum, should run both a personal firewall and antivirus application with current updates to provide multiple points of detection and protection to both inbound and outbound threats.
Users should keep vendor-supplied patches for all application software and operating systems up-to-date.
Users should be cautious of mysterious attachments and executables delivered via email and be cautious of visiting unknown/untrusted websites or opening unknown URL links.
Do not open unidentified attachments or executables from unknown sources or that you didn't request or were unaware of. Always err on the side of caution. Even if the sender is known, the source address may be spoofed.
If in doubt, contact the sender to confirm they sent it and why before opening the attachment. If still in doubt, delete the attachment without opening it.
The Common Vulnerabilities and Exposures (CVE) initiative has assigned CVE Candidate name CAN-2004-0487 to this issue.
This is a candidate for inclusion in the CVE list (http://cve.mitre.org
), which standardizes names for security problems.
Symantec appreciates the cooperation of Yuu Arai and the Little eArth Corporation security research team in identifying these issues.