Symantec Security Advisory
SYM07-002
http://www.symantec.com/avcenter/security/Content/2007.02.22.html
BID 22564
22 Feb, 2007
Stack Overflow in Third-Party ActiveX Controls affects Multiple
Vendor Products Including Some Symantec Consumer Products and
Automated Support
Assistant
Revision History
None
Severity
High (dependent on configuration and user interaction)
BID22564
http://www.symantec.com/avcenter/security/Content/2007.02.22.html
Remote Access Yes
Local Access No
Authentication Required No
Exploit publicly available No
Overview
Vulnerabilities were identified in third-party trouble-shooting
ActiveX
controls, developed by SupportSoft, www.supportsoft.com . Two of
these controls were signed, shipped and installed with the
identified versions of Symantec’s consumer products and as part of
the Symantec Automated Support Assistant
support tool. The vulnerability identified in the Symantec shipped
controls could potentially result in a stack overflow requiring
user interaction to exploit. If successfully exploited this
vulnerability could potentially compromise a user’s system possibly
allowing execution of arbitrary code or unauthorized access to system
assets with the permissions of the user’s browser.
Supported Symantec Product(s) Affected
Product Solution(s)
Symantec Automated Support Assistant
Update Available
Symantec Norton AntiVirus 2006
Update Available
Symantec Norton Internet Security 2006
Update Available
Symantec Norton System Works 2006
Update Available
Symantec Products NOT Affected
Product(s) Version
Symantec 2007 Consumer Products All
Symantec Norton 360
Symantec Corporate and Enterprise Products All
NOTE: Only Symantec Consumer products indicated as affected above
shipped with these vulnerable components. The Symantec Automated
Support Assistant is used by online consumer customer support when
a consumer customer visits the support site requiring assistance.
The Automated Support Assistant tool aids in providing the user
with solution information to their problems. TheSupportSoft
ActiveX controls were initially implemented mid-2005 on Symantec's
consumer support site. During the timeframe up to
August 2006, when the non-vulnerable controls were made available,
vulnerable controls could potentially be installed by the Automated
Support Assistant on customer systems running Symantec
consumer products and versions other than those listed above.
See Symantec Response section to determine if your product has a
vulnerable version of the Automated Support Assistant fix tool.
Symantec Corporate and Enterprise products do not ship with these
components and are NOT vulnerable to this issue.
Details
Symantec was initially alerted by Next Generation Security Software
(NGSS), to stack overflow and unauthorized access vulnerabilities
identified in two SupportSoft ActiveX controls, SmartIssue
tgctlsi.dll and ScriptRunner tgctlsr.dll, that Symantec signed and
shipped with some of Symantec’s 2006 consumer products and used by
the Symantec Automated Support Assistant support tool Symantec
provides onits consumer support site.
These SupportSoft ActiveX components did not properly validate
external input. This failure could potentially lead to
unauthorized access to system resources or the possible execution of
malicious code with the privileges of the user’s browser, resulting
in a potential compromise of the user’s system.
Any attempt to exploit these issues would require interactive user
involvement. An attacker would need to be able to effectively
entice a user to visit a malicious web site where their malicious
code was hosted
or to click on a malicious URL in any attempt to compromise the
user’s system. While these SupportSoft-developed components should
also
have been effectively site-locked, which would havefurther reduced
the severity, this capability was found to be improperly
implemented in the vulnerable versions.
Symantec Response
Symantec worked closely with SupportSoft to ensure updates were
quickly made available for the identified controls. SupportSoft
has posted a
Security Bulletin, http://www.supportsoft.com/support/
controls_update.asp,
for the controls Symantec uses and controls used in other products
on their support site, www.supportsoft.com.
Symantec immediately removed the vulnerable controls from its
consumer support site. Symantec engineers tested the updates
provided by
SupportSoft extensively and once tested updated the Symantec
Automated Support Assistant on Symantec's support site.
Additionally, in November 2006, the vulnerable versions of these
controls were disabled through LiveUpdate for Symantec consumer
customers who regularly run interactive updates to their Symantec
applications.
Those Symantec consumer customers who rely solely on Automatic
LiveUpdate would have received an automatic notification to
initiate an
interactive LiveUpdate session to obtain all pending updates. To
ensure all updates have been properly retrieved and applied to
Symantec
consumer products, users should regularly run an interactive
LiveUpdate session as follows:
* Open any installed Symantec consumer product
* Click on LiveUpdate in the GUI toolbar
* Run LiveUpdate until all available Symantec product updates are
downloaded and installed or you are advised that your system has
the latest
updates available.
Symantec recommends customers always ensure they have the latest
updates to protect against threats.
Symantec customers who previously downloaded the Symantec Automated
Support Assistant tool beginning in July 2005 and those who have
installed versions of the consumer products indicated above may
also go to the Symantec
support site, https://www-secure.symantec.com/techsupp/asa/
install.jsp to ensure they have the updated version of the
Automated Support Assistant fix tool. By
downloading the updated version of the Symantec Automated Support
Assistant fix tool, any existing legacy controls are updated with
non-vulnerable
versions.
Customers, who have received support assistance since August 2006,
will already have the latest non-vulnerable versions of these
controls.
Symantec has not seen any active attempts against or customer
impact from these issues.
Mitigation
Symantec Security Response is releasing an AntiVirus Bloodhound
definition
Bloodhound.Exploit.119, a heuristic detection and prevention for
attempts to exploit these vulnerable controls. Virus definitions
containing this heuristic will be available through Symantec
LiveUpdate or Symantec's Intelligent Updater.
IDS signatures have also been released to detect and block attempts
to exploit this issue. Customers using Symantec Norton Internet
Security or Norton Personal Firewall receive regular signature
updates if they run LiveUpdate automatically. If not using the
Automatic LiveUpdate function, Symantec recommends customers
interactively run Symantec LiveUpdate frequently to ensure they
have the most current protection available.
Establishing more secure Internet zone settings for the local user
can prohibit activation of ActiveX controls without the user’s
consent.
An attacker who successfully exploited this vulnerability could
gain the user rights of the local user. Users whose accounts are
configured to have fewer user rights on the system would be less
impacted than users who operate with administrative privileges.
As always, if previously unknown malicious code were attempted to
be distributed in this manner, Symantec Security Response would
react quickly
to updated definitions via LiveUpdate to detect and deter any new
threat(s).
Best Practices
As part of normal best practices, Symantec strongly recommends a
multi-layered approach to security:
* Run under the principle of least privilege where possible.
* Keep all operating systems and applications updated with the
latest vendor patches.
* Users, at a minimum, should run both a personal firewall and
antivirus application with current updates to provide multiple
points of detection
and protection to both inbound and outbound threats.
* Users should be cautious of mysterious attachments and
executables delivered via email and be cautious of browsing unknown/
untrusted websites or clicking on unknown/untrusted URL links.
* Do not open unidentified attachments or executables from unknown
sources or that you didn't request or were unaware of.
* Always err on the side of caution. Even if the sender is known,
the source address may be spoofed.
* If in doubt, contact the sender to confirm they sent it and why
before opening the attachment. If still in doubt, delete the
attachment without
opening it.
CVE
A CVE Candidate CVE-2006-6490 has been assigned. This issue is a
candidate for inclusion in the CVE list (http://cve.mitre.org),
which standardizes
names for security problems.
Credit:
Symantec has coordinated very closely with SupportSoft to help
ensure that all additional affected vendor customer bases has been
provide with information concerning affected controls and updates
to address the vulnerability.
Symantec wants to thank Mark Litchfield of NGS Software Ltd. for
the initial identification and notification of this issue and for the
excellent, in-depth coordination with both Symantec and SupportSoft
while resolving the issue.
Additionally, this issue was independently identified by the
analysts at CERT,
in CERT Vulnerability Note VU#441785, who reported their findings
to and worked closely with both Symantec and SupportSoft through to
resolution
and by Peter Vreugdenhil, working through iDefense who coordinated
with Symantec as we resolved the issue.
Symantec takes the security and proper functionality of its
products very seriously. As founding members of the Organization
for Internet Safety (OISafety), Symantec follows the principles of
responsible disclosure.
Symantec also subscribes to the vulnerability guidelines outlined
by the National Infrastructure Advisory Council (NIAC). Please contact
secure@xxxxxxxxxxxx if you feel you have discovered a potential or
actual security issue with a Symantec product. A Symantec Product
Security team member will contact you regarding your submission.
Symantec has developed a Product Vulnerability Handling Process
document outlining the process we follow in addressing suspected
vulnerabilities in
our products.
We support responsible disclosure of all vulnerability information
in a timely manner to protect Symantec customers and the security
of the
Internet as a result of vulnerability. This document is available from
http://www.symantec.com/security/
Symantec strongly recommends using encrypted email for reporting
vulnerability information to secure@xxxxxxxxxxxxx The Symantec Product
Security PGP key can be obtained from the location provided above.