search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Symantec Norton AntiVirus 2004 ActiveX control fails to properly validate input

Vulnerability Note VU#312510

Original Release Date: 2004-05-21 | Last Revised: 2004-05-21

Overview

There is a vulnerability in an ActiveX control provided by Norton AntiVirus 2004 that could allow an attacker to execute arbitrary programs, launch a browser window containing an unauthorized URL, or cause a denial of service on a vulnerable system.

Description

Norton AntiVirus 2004 is an application that provides the ability to scan email messages, files, and other content to detect viruses, worms, and other malicious code. There is a vulnerability in the way an ActiveX control provided by Norton AntiVirus 2004 processes external input. In order to exploit this vulnerability, an attacker would need to convince a victim to view malicious HTML (a web page, for example).

Impact

A remote, unauthenticated attacker could cause a denial of service, launch a browser window containing an unauthorized URL, or execute programs that reside on the victim's system with privileges of the vulnerable process. According to Symantec Security Advisory SYM04-009, an attacker would need to know the location of the executeable on the victim's system in order to launch the program.

Solution

Use LiveUpdate

Symantec has provided an update to address this issue. Symantec recommends that clients running Norton AntiVirus 2004 use the LiveUpdate feature to apply this update. According to Symantec, this can be done as follows:

    • Open any installed Symantec product
    • Click on LiveUpdate in the toolbar
    • Run LiveUpdate until all available Symantec product updates are downloaded and installed

Vendor Information

312510
 

Symantec Corporation Affected

Updated:  May 21, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please refer to Symantec Security Advisory SYM04-009.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

This vulnerability was reported by Yuu Arai of the Little eArth Corporation (LAC).

This document was written by Damon Morda.

Other Information

CVE IDs: None
Severity Metric: 3.94
Date Public: 2004-05-20
Date First Published: 2004-05-21
Date Last Updated: 2004-05-21 17:30 UTC
Document Revision: 14

Sponsored by CISA.