Vulnerability Note VU#312510
Symantec Norton AntiVirus 2004 ActiveX control fails to properly validate input
There is a vulnerability in an ActiveX control provided by Norton AntiVirus 2004 that could allow an attacker to execute arbitrary programs, launch a browser window containing an unauthorized URL, or cause a denial of service on a vulnerable system.
Norton AntiVirus 2004 is an application that provides the ability to scan email messages, files, and other content to detect viruses, worms, and other malicious code. There is a vulnerability in the way an ActiveX control provided by Norton AntiVirus 2004 processes external input. In order to exploit this vulnerability, an attacker would need to convince a victim to view malicious HTML (a web page, for example).
A remote, unauthenticated attacker could cause a denial of service, launch a browser window containing an unauthorized URL, or execute programs that reside on the victim's system with privileges of the vulnerable process. According to Symantec Security Advisory SYM04-009, an attacker would need to know the location of the executeable on the victim's system in order to launch the program.
Symantec has provided an update to address this issue. Symantec recommends that clients running Norton AntiVirus 2004 use the LiveUpdate feature to apply this update. According to Symantec, this can be done as follows:
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Symantec Corporation||Affected||-||21 May 2004|
CVSS Metrics (Learn More)
This vulnerability was reported by Yuu Arai of the Little eArth Corporation (LAC).
This document was written by Damon Morda.
- CVE IDs: Unknown
- Date Public: 20 May 2004
- Date First Published: 21 May 2004
- Date Last Updated: 21 May 2004
- Severity Metric: 3.94
- Document Revision: 14
If you have feedback, comments, or additional information about this vulnerability, please send us email.