<<< Date Index >>>     <<< Thread Index >>>

Stack Overflow in Third-Party ActiveX Controls affects Multiple Vendor Products Including Some Symantec Consumer Products and Automated Support



Symantec Security Advisory

SYM07-002
http://www.symantec.com/avcenter/security/Content/2007.02.22.html

BID 22564

22 Feb, 2007

Stack Overflow in Third-Party ActiveX Controls affects Multiple Vendor Products 
Including Some Symantec Consumer Products and Automated Support
Assistant

Revision History
None 

Severity
High (dependent on configuration and user interaction)

BID22564
http://www.symantec.com/avcenter/security/Content/2007.02.22.html

Remote Access  Yes
Local Access  No
Authentication Required  No 
Exploit publicly available  No
Overview
Vulnerabilities were identified in third-party trouble-shooting ActiveX
controls, developed by SupportSoft, www.supportsoft.com . Two of these controls 
were signed, shipped and installed with the identified versions of Symantec?s 
consumer products and as part of the Symantec Automated Support Assistant 
support tool. The vulnerability identified in the Symantec shipped controls 
could potentially result in a stack overflow requiring user interaction to 
exploit.  If successfully exploited this vulnerability could potentially 
compromise a user?s system possibly allowing execution of arbitrary code or 
unauthorized access to system
assets with the permissions of the user?s browser. 

Supported Symantec Product(s) Affected 
Product            Solution(s)
Symantec Automated Support Assistant
Update Available
Symantec Norton AntiVirus 2006
Update Available
Symantec Norton Internet Security 2006
Update Available
Symantec Norton System Works 2006 
Update Available

Symantec Products NOT Affected
Product(s)       Version
Symantec 2007 Consumer Products   All
Symantec Norton 360
Symantec Corporate and Enterprise Products  All

NOTE: Only Symantec Consumer products indicated as affected above shipped with 
these vulnerable components.  The Symantec Automated Support Assistant is used 
by online consumer customer support when a consumer customer visits the support 
site requiring assistance.  
The Automated Support Assistant tool aids in providing the user with solution 
information to their problems.  TheSupportSoft ActiveX controls were initially 
implemented mid-2005 on Symantec's consumer support site.  During the timeframe 
up to 
August 2006, when the non-vulnerable controls were made available, vulnerable 
controls could potentially be installed by the Automated Support Assistant on 
customer systems running Symantec 
consumer products and versions other than those listed above.  
See Symantec Response section to determine if your product has a vulnerable 
version of the Automated Support Assistant fix tool.

Symantec Corporate and Enterprise products do not ship with these components 
and are NOT vulnerable to this issue.

Details
Symantec was initially alerted by Next Generation Security Software (NGSS), to 
stack overflow and unauthorized access vulnerabilities identified in two 
SupportSoft ActiveX controls, SmartIssue tgctlsi.dll and ScriptRunner 
tgctlsr.dll, that Symantec signed and shipped with some of Symantec?s 2006 
consumer products and used by the Symantec Automated Support Assistant support 
tool Symantec provides onits consumer support site. 
These SupportSoft ActiveX components did not properly validate external input.  
This failure could potentially lead to unauthorized access to system resources 
or the possible execution of
malicious code with the privileges of the user?s browser, resulting in a 
potential compromise of the user?s system. 
Any attempt to exploit these issues would require interactive user
involvement.  An attacker would need to be able to effectively entice a user to 
visit a malicious web site where their malicious code was hosted 
or to click on a malicious URL in any attempt to compromise the user?s system. 
While these SupportSoft-developed components should also 
have been effectively site-locked, which would havefurther reduced the 
severity, this capability was found to be improperly implemented in the 
vulnerable versions. 

Symantec Response
Symantec worked closely with SupportSoft to ensure updates were quickly made 
available for the identified controls.   SupportSoft has posted a
Security Bulletin, http://www.supportsoft.com/support/controls_update.asp, 
for the controls Symantec uses and controls used in other products on their 
support site, www.supportsoft.com.

Symantec immediately removed the vulnerable controls from its consumer support 
site.  Symantec engineers tested the updates provided by
SupportSoft extensively and once tested updated the Symantec Automated Support 
Assistant on Symantec's support site.  Additionally, in November 2006, the 
vulnerable versions of these controls were disabled through LiveUpdate for 
Symantec consumer customers who regularly run interactive updates to their 
Symantec applications. 
Those Symantec consumer customers who rely solely on Automatic LiveUpdate would 
have received an automatic notification to initiate an 
interactive LiveUpdate session to obtain all pending updates.  To ensure all 
updates have been properly retrieved and applied to Symantec 
consumer products, users should regularly run an interactive LiveUpdate session 
as follows: 
* Open any installed Symantec consumer product 
* Click on LiveUpdate in the GUI toolbar 
* Run LiveUpdate until all available Symantec product updates are downloaded 
and installed or you are advised that your system has the latest
updates available.
Symantec recommends customers always ensure they have the latest updates to 
protect against threats.

Symantec customers who previously downloaded the Symantec Automated Support 
Assistant tool beginning in July 2005 and those who have installed versions of 
the consumer products indicated above may also go to the Symantec
support site, https://www-secure.symantec.com/techsupp/asa/install.jsp to 
ensure they have the updated version of the Automated Support Assistant fix 
tool.  By
downloading the updated version of the Symantec Automated Support Assistant fix 
tool, any existing legacy controls are updated with non-vulnerable
versions.  
Customers, who have received support assistance since August 2006, will already 
have the latest non-vulnerable versions of these controls.
Symantec has not seen any active attempts against or customer impact from these 
issues.

Mitigation
Symantec Security Response is releasing an AntiVirus Bloodhound definition 
Bloodhound.Exploit.119, a heuristic detection and prevention for attempts to 
exploit these vulnerable controls. Virus definitions containing this heuristic 
will be available through Symantec LiveUpdate or Symantec's Intelligent Updater.
IDS signatures have also been released to detect and block attempts to exploit 
this issue. Customers using Symantec Norton Internet Security or Norton 
Personal Firewall receive regular signature updates if they run LiveUpdate 
automatically. If not using the Automatic LiveUpdate function, Symantec 
recommends customers interactively run Symantec LiveUpdate frequently to ensure 
they have the most current protection available.
Establishing more secure Internet zone settings for the local user can prohibit 
activation of ActiveX controls without the user?s consent.
An attacker who successfully exploited this vulnerability could gain the user 
rights of the local user. Users whose accounts are configured to have fewer 
user rights on the system would be less impacted than users who operate with 
administrative privileges.

As always, if previously unknown malicious code were attempted to be 
distributed in this manner, Symantec Security Response would react quickly
to updated definitions via LiveUpdate to detect and deter any new threat(s).

Best Practices
As part of normal best practices, Symantec strongly recommends a multi-layered 
approach to security: 
* Run under the principle of least privilege where possible.
* Keep all operating systems and applications updated with the latest vendor 
patches. 
* Users, at a minimum, should run both a personal firewall and antivirus 
application with current updates to provide multiple points of detection
and protection to both inbound and outbound threats.
* Users should be cautious of mysterious attachments and executables delivered 
via email and be cautious of browsing unknown/untrusted websites or clicking on 
unknown/untrusted URL links.
* Do not open unidentified attachments or executables from unknown sources or 
that you didn't request or were unaware of. 
* Always err on the side of caution. Even if the sender is known, the source 
address may be spoofed.
* If in doubt, contact the sender to confirm they sent it and why before 
opening the attachment. If still in doubt, delete the attachment without
opening it.

CVE 
A CVE Candidate CVE-2006-6490 has been assigned.  This issue is a candidate for 
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

Credit:
Symantec has coordinated very closely with SupportSoft to help ensure that all 
additional affected vendor customer bases has been provide with information 
concerning affected controls and updates to address the vulnerability. 
Symantec wants to thank Mark Litchfield of NGS Software Ltd. for the initial 
identification and notification of this issue and for the
excellent, in-depth coordination with both Symantec and SupportSoft while 
resolving the issue. 
Additionally, this issue was independently identified by the analysts at CERT, 
in CERT Vulnerability Note VU#441785, who reported their findings to and worked 
closely with both Symantec and SupportSoft through to resolution 
and by Peter Vreugdenhil, working through iDefense who coordinated with 
Symantec as we resolved the issue.

Symantec takes the security and proper functionality of its products very 
seriously. As founding members of the Organization for Internet Safety 
(OISafety), Symantec follows the principles of responsible disclosure. 
Symantec also subscribes to the vulnerability guidelines outlined by the 
National Infrastructure Advisory Council (NIAC). Please contact 
secure@xxxxxxxxxxxx if you feel you have discovered a potential or actual 
security issue with a Symantec product. A Symantec Product 
Security team member will contact you regarding your submission.

Symantec has developed a Product Vulnerability Handling Process document 
outlining the process we follow in addressing suspected vulnerabilities in
our products. 
We support responsible disclosure of all vulnerability information in a timely 
manner to protect Symantec customers and the security of the
Internet as a result of vulnerability. This document is available from
http://www.symantec.com/security/

Symantec strongly recommends using encrypted email for reporting vulnerability 
information to secure@xxxxxxxxxxxxx The Symantec Product
Security PGP key can be obtained from the location provided above.