Symantec confirmed the flaws in most popular consumer security software that could give attackers the means to hijack the Windows PCs that the programs are supposed to protect.
The vulnerabilities are in an ActiveX control that ships with several products, including Norton AntiVirus, Norton Internet Security, Norton SystemWorks and Norton 360.
Ironically, Symantec analysts have both cited the popularity of ActiveX bugs and urged caution when using the controls in comments about other companies’ product flaws.
According to alerts released Wednesday by VeriSign Inc.’s iDefense, the ActiveX control “SymAData.dll” sports two vulnerabilities that could be used “to execute arbitrary code with the privileges of the currently logged in user” by attackers able to entice victims to malicious Web sites.
Symantec confirmed the vulnerabilities Wednesday in its own advisory, and said the buggy control has shipped with Windows versions of Norton AntiVirus 2006-2008, Norton Internet Security 2006-2008, Norton SystemWorks 2006-2008 and Norton 360 version 1.0.
While it acknowledged the bugs, Symantec also downplayed the threat, saying that attacks would only succeed from specially crafted sites. “To successfully exploit either vulnerability, an attacker would need to be able to masquerade as the trusted Symantec Web site, such as through a cross-site scripting attack or DNS poisoning,” read the company’s advisory .
Symantec has updated the affected consumer security software with new detection definitions designed to block any exploit of the ActiveX flaws, but will not automatically patch everyone’s copy of the flawed control.
“An updated (non-vulnerable) version of the AutoFix tool will be automatically installed if customers participate in an online Chat session with Symantec Technical Support,” Symantec said. Alternately, users can manually download and install a patched AutoFix from its Web site.