Joined: 29 Mar 2003 Posts: 3 Location: East Coast, USA
Posted: Wed Jun 25, 2003 5:57 pm Post subject: Symantec security product contains flaw
Symantec security product contains flaw
By Robert Lemos(rob.lemos@cnet.com)
Quote:
Security-software maker Symantec warned customers Tuesday that users of its online Security Check service have likely downloaded a flawed ActiveX control that could be used by an intruder as a path into the victim's PC.
Security Check is meant to help people lock down their systems and loads an ActiveX script that aids in scanning a person's computer. Ironically, the ActiveX script, which remains on the computer even after scanning, contains a memory flaw that could be used by an attacker to break into the PC.
Symantec has replaced the ActiveX component--which uses the name Symantec RuFSI Utility Class or Symantec RuFSI Registry Information Class--uploaded by the site with a new one that overwrites the old software and solves the problem.
The advisory appeared two days after an [url=lists.netsys.com/pipermail/full-disclosure/2003-June/010692.html]independent security researcher revealed the flaw[/url] on the [url=lists.netsys.com/mailman/listinfo/full-disclosure]Full Disclosure security list[/url].
"This is really funny," wrote the discoverer, Cesar Cerrudo. "Symantec tries to protect users and they introduce dangerous ActiveX controls in user's computers" instead.
Cerrudo said he neither tried to contact Symantec about the warning nor gave them 30 days, a standard grace period, to fix the flaw. "I forgot about the 30-day grace period...also I forgot to report it," he wrote in his own advisory, tacking a smiley emoticon to the end.
Symantec wasn't pleased by the lack of a warning.
"It is ours as well as much of the security community's belief that premature disclosure can pose a serious threat to the Internet," the company wrote. "Such disclosure should be discouraged."
Full Article: [url=news.com.com/2100-1009_3-1020682.html]Symantec security product contains flaw[/url]
[url=lists.netsys.com/pipermail/full-disclosure/2003-June/010692.html]Here is[/url] Cesar's intial advisory about the flaw.
Here is Symantec's follow-up advisory fixing the issue.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum