|Exploit publicly available||No|
Vulnerabilities were identified in third-party trouble-shooting ActiveX controls, developed by SupportSoft, www.supportsoft.com . Two of these controls were signed, shipped and installed with the identified versions of Symantec's consumer products and as part of the Symantec Automated Support Assistant support tool. The vulnerability identified in the Symantec shipped controls could potentially result in a stack overflow requiring user interaction to exploit. If successfully exploited this vulnerability could potentially compromise a user's system possibly allowing execution of arbitrary code or unauthorized access to system assets with the permissions of the user's browser.
Supported Symantec Product(s) Affected
|Symantec Automated Support Assistant||Update Available|
|Symantec Norton AntiVirus 2006||Update Available|
|Symantec Norton Internet Security 2006||Update Available|
|Symantec Norton System Works 2006||Update Available|
Symantec Products NOT Affected
|Symantec 2007 Consumer Products||All|
|Symantec Norton 360|
|Symantec Corporate and Enterprise Products||All|
Symantec was initially alerted by Next Generation Security Software (NGSS), to stack overflow and unauthorized access vulnerabilities identified in two SupportSoft ActiveX controls, SmartIssue tgctlsi.dll and ScriptRunner tgctlsr.dll, that Symantec signed and shipped with some of Symantec's 2006 consumer products and used by the Symantec Automated Support Assistant support tool Symantec provides on its consumer support site. These SupportSoft ActiveX components did not properly validate external input. This failure could potentially lead to unauthorized access to system resources or the possible execution of malicious code with the privileges of the user's browser, resulting in a potential compromise of the user's system.
Any attempt to exploit these issues would require interactive user involvement. An attacker would need to be able to effectively entice a user to visit a malicious web site where their malicious code was hosted or to click on a malicious URL in any attempt to compromise the user's system. While these SupportSoft-developed components should also have been effectively site-locked, which would have further reduced the severity, this capability was found to be improperly implemented in the vulnerable versions.
Symantec worked closely with SupportSoft to ensure updates were quickly made available for the identified controls. SupportSoft has posted a Security Bulletin for the controls Symantec uses and controls used in other products on their support site, www.supportsoft.com.
Symantec immediately removed the vulnerable controls from its consumer support site. Symantec engineers tested the updates provided by SupportSoft extensively and once tested updated the Symantec Automated Support Assistant on Symantec's support site. Additionally, in November 2006, the vulnerable versions of these controls were disabled through LiveUpdate for Symantec consumer customers who regularly run interactive updates to their Symantec applications. Those Symantec consumer customers who rely solely on Automatic LiveUpdate would have received an automatic notification to initiate an interactive LiveUpdate session to obtain all pending updates. To ensure all updates have been properly retrieved and applied to Symantec consumer products, users should regularly run an interactive LiveUpdate session as follows:
Symantec Security Response is releasing an AntiVirus Bloodhound definition Bloodhound.Exploit.119, a heuristic detection and prevention for attempts to exploit these vulnerable controls. Virus definitions containing this heuristic will be available through Symantec LiveUpdate or Symantec's Intelligent Updater.
IDS signatures have also been released to detect and block attempts to exploit this issue.
Customers using Symantec Norton Internet Security or Norton Personal Firewall receive regular signature updates if they run LiveUpdate automatically. If not using the Automatic LiveUpdate function, Symantec recommends customers interactively run Symantec LiveUpdate frequently to ensure they have the most current protection available.
Establishing more secure Internet zone settings for the local user can prohibit activation of ActiveX controls without the user's consent.
An attacker who successfully exploited this vulnerability could gain the user rights of the local user. Users whose accounts are configured to have fewer user rights on the system would be less impacted than users who operate with administrative privileges.
As always, if previously unknown malicious code were attempted to be distributed in this manner, Symantec Security Response would react quickly to updated definitions via LiveUpdate to detect and deter any new threat(s).
As part of normal best practices, Symantec strongly recommends a multi-layered approach to security:
A CVE Candidate CVE-2006-6490 has been assigned. This issue is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.
Symantec has coordinated very closely with SupportSoft to help ensure that all additional affected vendor customer bases has been provide with information concerning affected controls and updates to address the vulnerability. Symantec wants to thank Mark Litchfield of NGS Software Ltd. for the initial identification and notification of this issue and for the excellent, in-depth coordination with both Symantec and SupportSoft while resolving the issue. Additionally, this issue was independently identified by the analysts at CERT , in CERT Vulnerability Note VU#441785, who reported their findings to and worked closely with both Symantec and SupportSoft through to resolution and by Peter Vreugdenhil, working through iDefense who coordinated with Symantec as we resolved the issue.