• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Symantec security product contains flaw

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exploits // System Weaknesses

View previous topic :: View next topic  
Author Message
Rottz
Just Arrived
Just Arrived


Joined: 29 Mar 2003
Posts: 3
Location: East Coast, USA

Offline

PostPosted: Wed Jun 25, 2003 5:57 pm    Post subject: Symantec security product contains flaw Reply with quote

Symantec security product contains flaw
By Robert Lemos(rob.lemos@cnet.com)
Quote:
Security-software maker Symantec warned customers Tuesday that users of its online Security Check service have likely downloaded a flawed ActiveX control that could be used by an intruder as a path into the victim's PC.

Security Check is meant to help people lock down their systems and loads an ActiveX script that aids in scanning a person's computer. Ironically, the ActiveX script, which remains on the computer even after scanning, contains a memory flaw that could be used by an attacker to break into the PC.

Symantec has replaced the ActiveX component--which uses the name Symantec RuFSI Utility Class or Symantec RuFSI Registry Information Class--uploaded by the site with a new one that overwrites the old software and solves the problem.

The advisory appeared two days after an [url=lists.netsys.com/pipermail/full-disclosure/2003-June/010692.html]independent security researcher revealed the flaw[/url] on the [url=lists.netsys.com/mailman/listinfo/full-disclosure]Full Disclosure security list[/url].

"This is really funny," wrote the discoverer, Cesar Cerrudo. "Symantec tries to protect users and they introduce dangerous ActiveX controls in user's computers" instead.

Cerrudo said he neither tried to contact Symantec about the warning nor gave them 30 days, a standard grace period, to fix the flaw. "I forgot about the 30-day grace period...also I forgot to report it," he wrote in his own advisory, tacking a smiley emoticon to the end.

Symantec wasn't pleased by the lack of a warning.

"It is ours as well as much of the security community's belief that premature disclosure can pose a serious threat to the Internet," the company wrote. "Such disclosure should be discouraged."
Full Article: [url=news.com.com/2100-1009_3-1020682.html]Symantec security product contains flaw[/url]

[url=lists.netsys.com/pipermail/full-disclosure/2003-June/010692.html]Here is[/url] Cesar's intial advisory about the flaw.
Here is Symantec's follow-up advisory fixing the issue.

Here are a few good following emails:
[url=lists.netsys.com/pipermail/full-disclosure/2003-June/010735.html]From: Cesar <cesarc56@yahoo.com>[/url]
From: Jason Coombs <jasonc@science.org>
From: Chris Wysopal <weld@vulnwatch.org>

What does everyone thing about this issue?
Back to top
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exploits // System Weaknesses All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register