May 16, 2007
Symantec Norton Personal Firewall 2004 ActiveX Control Buffer Overflow

Revision History

Risk Impact

Remote AccessYes
Local AccessYes
Authentication RequiredYes
Exploit publicly availableNo

An ActiveX control used by Norton Personal Firewall 2004 and Norton Internet Security 2004 contains a buffer overflow vulnerability.

Affected Products
Norton Internet Security2004Run LiveUpdate
Norton Personal Firewall2004Run LiveUpdate

Unaffected Products
Norton Antivirus2005 and laterAll
Norton Internet Security2005 and laterAll
Norton System Works2005 and laterAll
Norton ConfidentialAllAll
Norton 360AllAll
Symantec Client SecurityAllAll
Symantec AntiVirus Corporate EditionAllAll

CERT notified Symantec that a buffer overflow exists in an ActiveX Control used by Norton Personal Firewall. The error occurs in the Get() and Set() functions used by ISAlertDataCOM, which is part of ISLALERT.DLL. A successful exploit of this vulnerability could potentially allow the remote execution of code on a vulnerable system, with the rights of the logged-in user.

Symantec Response
Symantec product engineers have determined that the issue affects Norton Personal Firewall and Norton Internet Security 2004 only. Product updates to correct the problem are available through LiveUpdate.

To successfully exploit this vulnerability, an attacker would need to entice the user to view a specially crafted HTML document. This type of attack is often achieved by sending email containing a link to the malicious site, and persuading the recipient to click on the link.

Symantec is not aware of any customers impacted by this issue, or of any attempts to exploit the issue.

As a part of normal best practices, users should keep vendor-supplied patches for all application software and operating systems up-to-date. Symantec recommends any affected customers update their product immediately to protect against potential attempts to exploit this vulnerability.

How to obtain the update
Norton Internet Security and Norton Personal firewall 2004 users who normally run manual LiveUpdate to obtain product updates can also obtain this update through the same process. Run manual LiveUpdate as follows:

If you have not previously installed all available product updates, you will need to obtain those updates first. You will need to modify your LiveUpdate settings to connect to the archive LiveUpdate server to obtain the previous product updates.

Please see this Knowledgebase article for information:

How to obtain the programs updates that are archived on Symantec LiveUpdate server

After you have downloaded and installed all available updates from the archive server, you will be able to download the update for this vulnerability.

Symantec has released IPS signatures for the Symantec products listed below, to detect attempts to exploit this vulnerability.

Best Practices
As part of normal best practices, Symantec strongly recommends a multi-layered approach to security:

Symantec would like to thank Will Dormann of the CERT Coordination Center ( for reporting this issue and coordinating with us on the response.

This issue is a candidate for inclusion in the Common Vulnerabilities and Exposures (CVE) list (, which standardizes names for security problems. The CVE initiative has assigned CVE-2007-1689 to this issue

Initial Post on: Wednesday, 16-May-07 07:40:00
Last modified on:
ProductsSecurity Update Number (SU#)
Symantec Client Security62 and later
Norton Internet Security50 and later
Symantec Gateway Security46 and later
Symantec Network Security81 and later