May 10, 2007

[Security] Norton Internet Security 2006 COM Security Bypass Vulnerability

iDefense has issued a report about a vulnerability in Symantec's Norton Internet Security 2006.

The vulnerability exists in an ActiveX control installed by Norton, which is registered as safe. This control is not designed to be used in an Internet Explorer window; when opened in IE, an error occurs and the browser is left in a "defunct" state. After this, other Symantec ActiveX controls can be created, without the need to be marked as safe.

This can lead for remote code execution if the said controls contain malicious actions or exploitable methods. A remote Web site can host an ActiveX control and it is loaded when the site is visited.

Symantec has issued an advisory to address this issue. Symantec users are advised to use LiveUpdate to be safe from this vulnerability.

(Crossposted here.)

No comments:

Post a Comment