search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Symantec ActiveX control vulnerable to buffer overflow

Vulnerability Note VU#527228

Original Release Date: 2003-07-21 | Last Revised: 2003-09-30

Overview

There is a buffer overflow in a component of Symantec's web-based Security Check.

Description

Symantec describes Security Check as "a free web-based tool that enables users to test their computer's exposure to a wide range of on-line threats. As part of running the check, users may install an ActiveX Control, which remains on the user's system even after the check has completed." A buffer overflow has been discovered in the ActiveX control that is distributed from Symantec's web-based Security Check web site. For further technical details, please see the following documents:

Impact

Any user that visited Symantec's Security Check web site before June 25, 2003, when Symantec replaced the vulnerable ActiveX control, is likely to have the vulnerable control on their system. The only way to get rid of the control is to either visit Symantec's Security Check web site and run another Security Scan, or manually remove the vulnerable control. Users not following, or unaware of, either of these courses of action may be subject to an attacker installing and/or invoking a vulnerable version of the control on their system.This type of behavior could be averted by making use of Microsoft's SiteLock Template. This template "enables an ActiveX developer to restrict access so that the control is only deemed safe in a predetermined list of domains. This limits the ability of Web page authors to reuse the control for malicious purposes." Unfortunately, this Symantec ActiveX control does not make use of the SiteLock Template.

Solution

Symantec has replaced the vulnerable ActiveX control on their web site, and they recommend the following:
Recent visitors to Symantec Security Check should revisit the site and run a new Security Scan. By running a new scan, the previous ActiveX Control will be replaced by an updated ActiveX Control that fixes the buffer overflow condition. Advanced users can attempt to delete the ActiveX Control by rebooting and then going into the system folder: %SystemRoot%\Downloaded Program Files\ and delete "rufsi.dll". This must be done by using the command prompt and the user must not be on the Symantec Security Check site at the time. A removal tool has been developed and can be found here.

Vendor Information

527228
 
Affected   Unknown   Unaffected

Symantec Corporation

Updated:  July 15, 2003

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see http://www.sarc.com/avcenter/security/Content/2003.06.25.html.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Acknowledgements

This vulnerability was discovered by Cesar Cerrudo.

This document was written by Ian A Finlay.

Other Information

CVE IDs: CVE-2003-0470
Severity Metric: 3.60
Date Public: 2003-06-23
Date First Published: 2003-07-21
Date Last Updated: 2003-09-30 22:01 UTC
Document Revision: 39

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.