Vulnerability Note VU#312510

Symantec Norton AntiVirus 2004 ActiveX control fails to properly validate input

Original Release date: 21 May 2004 | Last revised: 21 May 2004

Overview

There is a vulnerability in an ActiveX control provided by Norton AntiVirus 2004 that could allow an attacker to execute arbitrary programs, launch a browser window containing an unauthorized URL, or cause a denial of service on a vulnerable system.

Description

Norton AntiVirus 2004 is an application that provides the ability to scan email messages, files, and other content to detect viruses, worms, and other malicious code. There is a vulnerability in the way an ActiveX control provided by Norton AntiVirus 2004 processes external input. In order to exploit this vulnerability, an attacker would need to convince a victim to view malicious HTML (a web page, for example).

Impact

A remote, unauthenticated attacker could cause a denial of service, launch a browser window containing an unauthorized URL, or execute programs that reside on the victim's system with privileges of the vulnerable process. According to Symantec Security Advisory SYM04-009, an attacker would need to know the location of the executeable on the victim's system in order to launch the program.

Solution

Use LiveUpdate

Symantec has provided an update to address this issue. Symantec recommends that clients running Norton AntiVirus 2004 use the LiveUpdate feature to apply this update. According to Symantec, this can be done as follows:

  • Open any installed Symantec product
  • Click on LiveUpdate in the toolbar
  • Run LiveUpdate until all available Symantec product updates are downloaded and installed

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Symantec CorporationAffected-21 May 2004
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This vulnerability was reported by Yuu Arai of the Little eArth Corporation (LAC).

This document was written by Damon Morda.

Other Information

  • CVE IDs: Unknown
  • Date Public: 20 May 2004
  • Date First Published: 21 May 2004
  • Date Last Updated: 21 May 2004
  • Severity Metric: 3.94
  • Document Revision: 14

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.