Naughty Norton: Symantec Fixes Flaw in Security Software

May 18, 2007

The security vendor has patched a buffer overflow vulnerability that could allow an attacker to remotely execute malicious code.

Symantec has fixed a serious vulnerability with an ActiveX control used by Norton Personal Firewall 2004 and Norton Internet Security 2004 that could allow a hacker to execute code remotely on a vulnerable system.

According to Symantec officials, the company was notified of the problem by US-CERT. A buffer overflow can be triggered by an error that occurs in the Get () and Set () functions used by ISAlertDataCOM, part of ISLALERT.DLL. Successfully exploiting this vulnerability would allow an attacker to remotely execute malicious code on an unpatched system and give them the rights of the logged-in user, Symantec officials said.

In order for an exploit to work, however, the hacker must first trick the user into viewing a specially crafted HTML document. As noted in the advisory, such attacks frequently begin with an e-mail containing a link to the malicious site that is meant to entice the user.

"Symantec product engineers have determined that the issue affects Norton Personal Firewall and Norton Internet Security 2004 only," the advisory states. "Product updates to correct the problem are available through LiveUpdate."

Though the company lists the threat as medium, it is rated highly critical by Secunia. Symantec officials said they are not aware of any customers impacted by the flaw, or any attempts to exploit it, and recommend users keep their patches up to date. A plug for the security hole can be obtained through Symantec's LiveUpdate feature.

Copyright 2007 by Ziff Davis Media, Distributed by United Press International

Explore further: Download woes and HealthKit flaw bite iPhone software

add to favorites email to friend print save as pdf

Related Stories

Web filter lifts block on gay sites

Sep 16, 2014

A popular online safe-search filter is ending its practice of blocking links to mainstream gay and lesbian advocacy groups for users hoping to avoid obscene sites.

Symantec Announced New Norton 360 - All-In-One Security

Feb 27, 2007

Symantec Corp. today announced the availability of its newest product – Norton 360 - All-In-One Security. Norton 360 comprehensive solution combines Symantec's security and PC tune-up technologies with new ...

Hacker 'botnet' hijacked online searches

Feb 07, 2013

Software titan Microsoft and computer security giant Symantec said Thursday that they smashed a hacker-infected computer network that was hijacking Internet searches.

Recommended for you

Hit 'Just Dance' game goes mobile Sept. 25

Sep 18, 2014

Smartphone lovers will get to show off moves almost anywhere with the Sept. 25 release of a free "Just Dance Now" game tuned for mobile Internet lifestyles.

Indie game developers sprouting at Tokyo Game Show

Sep 18, 2014

Nestled among the industry giants at the Tokyo Game Show Thursday are a growing number of small and independent games developers from Asia and Europe, all hoping they are sitting on the next Minecraft.

Review: Ambitious 'Destiny' lacks imagination

Sep 18, 2014

Midway through "Destiny," the new science fiction epic from "Halo" creators Bungie, a smug prince is musing on the hero's desire to visit a mysterious site on Mars.

User comments : 0