Symantec confirms ActiveX bugs in its own consumer software

Computerworld - Symantec Corp. has confirmed flaws in its most popular consumer security software that could give attackers the means to hijack the Windows PCs that the programs are supposed to protect.

The vulnerabilities are in an ActiveX control that ships with several products, including Norton AntiVirus, Norton Internet Security, Norton SystemWorks and Norton 360.

Ironically, Symantec analysts have both cited the popularity of ActiveX bugs and urged caution when using the controls in comments about other companies' product flaws.

According to alerts released Wednesday by VeriSign Inc.'s iDefense, the ActiveX control SymAData.dll sports two vulnerabilities that could be used "to execute arbitrary code with the privileges of the currently logged in user" by attackers able to entice victims to malicious Web sites.

Symantec confirmed the vulnerabilities Wednesday in its own advisory, and said the buggy control has shipped with Windows versions of Norton AntiVirus 2006-2008, Norton Internet Security 2006-2008, Norton SystemWorks 2006-2008 and Norton 360 Version 1.0.

While it acknowledged the bugs, Symantec also downplayed the threat, saying that attacks would succeed only from specially crafted sites. "To successfully exploit either vulnerability, an attacker would need to be able to masquerade as the trusted Symantec Web site, such as through a cross-site scripting attack or DNS poisoning," read the company's advisory.

However, cross-site scripting attacks have become common, and although DNS "poisoning" — fooling a DNS server into thinking the bogus routing directions it's received are authentic — is less common, it's not unheard of.

Symantec said it is unaware of any attempts to exploit the vulnerabilities.

The flawed ActiveX control is used by Symantec's AutoFix tool, which is included with some of the company's software and may also be downloaded to a PC during a live chat with a Symantec technical support representative. AutoFix diagnoses PC problems and offers solutions.

Previously, Symantec researchers have called on the company's statistics to point out widespread problems with ActiveX. In February, for example, Oliver Friedrichs, director of the company's security response team, reported ActiveX composed 89% of all the browser plug-in vulnerabilities his team had counted in the first half of 2007.

That same month, Symantec joined with the U.S. Computer Emergency Readiness Team (US-CERT) and other security vendors to urge caution when using ActiveX controls after a wave of bugs were revealed in several other software makers' products, including those from Yahoo Inc., Facebook and MySpace.

Symantec has updated the affected consumer security software with new detection definitions designed to block any exploit of the ActiveX flaws, but will not automatically patch everyone's copy of the flawed control.

"An updated (non-vulnerable) version of the AutoFix tool will be automatically installed if customers participate in an online Chat session with Symantec Technical Support," Symantec said. Alternately, users can manually download and install a patched AutoFix from its Web site.