The Register ®

Biting the hand that feeds IT

The Register » Security »

Original URL: http://www.theregister.co.uk/2007/08/09/norton_security_bugs/

Symantec security products less than secure

By Dan Goodin in San Francisco
Published Thursday 9th August 2007 23:27 GMT

In a world where digital gremlins seem to lurk in almost every shadow, many of us feel safer using an internet security package. But for those using many Norton security products who haven't updated recently, that feeling is a false sense of security.

That's because a nasty bug residing in two ActiveX controls used in Norton's PC software could allow an attacker to remotely execute code on the user's machine. Symantec is advising (http://www.symantec.com/avcenter/security/Content/2007.08.09.html) users to immediately update affected versions, which include the 2006 versions of Norton AntiVirus, Norton Internet Security, and Norton System Works and the 2005 version of Norton Internet Security, Anti Spyware Edition.

"This error could allow an attacker to crash Internet Explorer, or possibly run arbitrary code with the rights of the logged in user," Symantec warned. The attacker would first have to lure a vulnerable machine to a booby-trapped website, the advisory added.

Secunia rates the flaw (http://secunia.com/advisories/25215/) "highly critical," the second-highest category in its five-tier rating system.

The bug is the result of an "input validation" error, which fails to analyze incoming data for malicious commands before executing them. Norton is encouraging all users to run the program's Live Update feature immediately. ®

© Copyright 2008