| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 23 Feb 2007 21:47:44 +0000 From: John Smith <genericjohnsmith@...il.com> To: secure@...antec.com Cc: bugtraq@...urityfocus.com Subject: Re: Stack Overflow in Third-Party ActiveX Controls affects Multiple Vendor Products Including Some Symantec Consumer Products and Automated Support This advisory says that tgctlsi.dll and tgctlsr.dll are vulnerable, however SupportSoft is only providing an update for tgctlsi.dll (http://www.supportsoft.com/support/controls_update.asp). Does tgctlsr.dll call into tgctlsi.dll where the true vulnerability exists, did tgctlsr.dll turn out not to be vulnerable, or has SupportSoft just not provided a fix for tgctlsr.dll? Thanks John On Feb 23, 2007, at 9:01 PM, secure@...antec.com wrote: > Symantec Security Advisory > > SYM07-002 > http://www.symantec.com/avcenter/security/Content/2007.02.22.html > > BID 22564 > > 22 Feb, 2007 > > Stack Overflow in Third-Party ActiveX Controls affects Multiple > Vendor Products Including Some Symantec Consumer Products and > Automated Support > Assistant > > Revision History > None > > Severity > High (dependent on configuration and user interaction) > > BID22564 > http://www.symantec.com/avcenter/security/Content/2007.02.22.html > > Remote Access Yes > Local Access No > Authentication Required No > Exploit publicly available No > Overview > Vulnerabilities were identified in third-party trouble-shooting > ActiveX > controls, developed by SupportSoft, www.supportsoft.com . Two of > these controls were signed, shipped and installed with the > identified versions of Symantec’s consumer products and as part of > the Symantec Automated Support Assistant > support tool. The vulnerability identified in the Symantec shipped > controls could potentially result in a stack overflow requiring > user interaction to exploit. If successfully exploited this > vulnerability could potentially compromise a user’s system possibly > allowing execution of arbitrary code or unauthorized access to system > assets with the permissions of the user’s browser. > > Supported Symantec Product(s) Affected > Product Solution(s) > Symantec Automated Support Assistant > Update Available > Symantec Norton AntiVirus 2006 > Update Available > Symantec Norton Internet Security 2006 > Update Available > Symantec Norton System Works 2006 > Update Available > > Symantec Products NOT Affected > Product(s) Version > Symantec 2007 Consumer Products All > Symantec Norton 360 > Symantec Corporate and Enterprise Products All > > NOTE: Only Symantec Consumer products indicated as affected above > shipped with these vulnerable components. The Symantec Automated > Support Assistant is used by online consumer customer support when > a consumer customer visits the support site requiring assistance. > The Automated Support Assistant tool aids in providing the user > with solution information to their problems. TheSupportSoft > ActiveX controls were initially implemented mid-2005 on Symantec's > consumer support site. During the timeframe up to > August 2006, when the non-vulnerable controls were made available, > vulnerable controls could potentially be installed by the Automated > Support Assistant on customer systems running Symantec > consumer products and versions other than those listed above. > See Symantec Response section to determine if your product has a > vulnerable version of the Automated Support Assistant fix tool. > > Symantec Corporate and Enterprise products do not ship with these > components and are NOT vulnerable to this issue. > > Details > Symantec was initially alerted by Next Generation Security Software > (NGSS), to stack overflow and unauthorized access vulnerabilities > identified in two SupportSoft ActiveX controls, SmartIssue > tgctlsi.dll and ScriptRunner tgctlsr.dll, that Symantec signed and > shipped with some of Symantec’s 2006 consumer products and used by > the Symantec Automated Support Assistant support tool Symantec > provides onits consumer support site. > These SupportSoft ActiveX components did not properly validate > external input. This failure could potentially lead to > unauthorized access to system resources or the possible execution of > malicious code with the privileges of the user’s browser, resulting > in a potential compromise of the user’s system. > Any attempt to exploit these issues would require interactive user > involvement. An attacker would need to be able to effectively > entice a user to visit a malicious web site where their malicious > code was hosted > or to click on a malicious URL in any attempt to compromise the > user’s system. While these SupportSoft-developed components should > also > have been effectively site-locked, which would havefurther reduced > the severity, this capability was found to be improperly > implemented in the vulnerable versions. > > Symantec Response > Symantec worked closely with SupportSoft to ensure updates were > quickly made available for the identified controls. SupportSoft > has posted a > Security Bulletin, http://www.supportsoft.com/support/ > controls_update.asp, > for the controls Symantec uses and controls used in other products > on their support site, www.supportsoft.com. > > Symantec immediately removed the vulnerable controls from its > consumer support site. Symantec engineers tested the updates > provided by > SupportSoft extensively and once tested updated the Symantec > Automated Support Assistant on Symantec's support site. > Additionally, in November 2006, the vulnerable versions of these > controls were disabled through LiveUpdate for Symantec consumer > customers who regularly run interactive updates to their Symantec > applications. > Those Symantec consumer customers who rely solely on Automatic > LiveUpdate would have received an automatic notification to > initiate an > interactive LiveUpdate session to obtain all pending updates. To > ensure all updates have been properly retrieved and applied to > Symantec > consumer products, users should regularly run an interactive > LiveUpdate session as follows: > * Open any installed Symantec consumer product > * Click on LiveUpdate in the GUI toolbar > * Run LiveUpdate until all available Symantec product updates are > downloaded and installed or you are advised that your system has > the latest > updates available. > Symantec recommends customers always ensure they have the latest > updates to protect against threats. > > Symantec customers who previously downloaded the Symantec Automated > Support Assistant tool beginning in July 2005 and those who have > installed versions of the consumer products indicated above may > also go to the Symantec > support site, https://www-secure.symantec.com/techsupp/asa/ > install.jsp to ensure they have the updated version of the > Automated Support Assistant fix tool. By > downloading the updated version of the Symantec Automated Support > Assistant fix tool, any existing legacy controls are updated with > non-vulnerable > versions. > Customers, who have received support assistance since August 2006, > will already have the latest non-vulnerable versions of these > controls. > Symantec has not seen any active attempts against or customer > impact from these issues. > > Mitigation > Symantec Security Response is releasing an AntiVirus Bloodhound > definition > Bloodhound.Exploit.119, a heuristic detection and prevention for > attempts to exploit these vulnerable controls. Virus definitions > containing this heuristic will be available through Symantec > LiveUpdate or Symantec's Intelligent Updater. > IDS signatures have also been released to detect and block attempts > to exploit this issue. Customers using Symantec Norton Internet > Security or Norton Personal Firewall receive regular signature > updates if they run LiveUpdate automatically. If not using the > Automatic LiveUpdate function, Symantec recommends customers > interactively run Symantec LiveUpdate frequently to ensure they > have the most current protection available. > Establishing more secure Internet zone settings for the local user > can prohibit activation of ActiveX controls without the user’s > consent. > An attacker who successfully exploited this vulnerability could > gain the user rights of the local user. Users whose accounts are > configured to have fewer user rights on the system would be less > impacted than users who operate with administrative privileges. > > As always, if previously unknown malicious code were attempted to > be distributed in this manner, Symantec Security Response would > react quickly > to updated definitions via LiveUpdate to detect and deter any new > threat(s). > > Best Practices > As part of normal best practices, Symantec strongly recommends a > multi-layered approach to security: > * Run under the principle of least privilege where possible. > * Keep all operating systems and applications updated with the > latest vendor patches. > * Users, at a minimum, should run both a personal firewall and > antivirus application with current updates to provide multiple > points of detection > and protection to both inbound and outbound threats. > * Users should be cautious of mysterious attachments and > executables delivered via email and be cautious of browsing unknown/ > untrusted websites or clicking on unknown/untrusted URL links. > * Do not open unidentified attachments or executables from unknown > sources or that you didn't request or were unaware of. > * Always err on the side of caution. Even if the sender is known, > the source address may be spoofed. > * If in doubt, contact the sender to confirm they sent it and why > before opening the attachment. If still in doubt, delete the > attachment without > opening it. > > CVE > A CVE Candidate CVE-2006-6490 has been assigned. This issue is a > candidate for inclusion in the CVE list (http://cve.mitre.org), > which standardizes > names for security problems. > > Credit: > Symantec has coordinated very closely with SupportSoft to help > ensure that all additional affected vendor customer bases has been > provide with information concerning affected controls and updates > to address the vulnerability. > Symantec wants to thank Mark Litchfield of NGS Software Ltd. for > the initial identification and notification of this issue and for the > excellent, in-depth coordination with both Symantec and SupportSoft > while resolving the issue. > Additionally, this issue was independently identified by the > analysts at CERT, > in CERT Vulnerability Note VU#441785, who reported their findings > to and worked closely with both Symantec and SupportSoft through to > resolution > and by Peter Vreugdenhil, working through iDefense who coordinated > with Symantec as we resolved the issue. > > Symantec takes the security and proper functionality of its > products very seriously. As founding members of the Organization > for Internet Safety (OISafety), Symantec follows the principles of > responsible disclosure. > Symantec also subscribes to the vulnerability guidelines outlined > by the National Infrastructure Advisory Council (NIAC). Please contact > secure@...antec.com if you feel you have discovered a potential or > actual security issue with a Symantec product. A Symantec Product > Security team member will contact you regarding your submission. > > Symantec has developed a Product Vulnerability Handling Process > document outlining the process we follow in addressing suspected > vulnerabilities in > our products. > We support responsible disclosure of all vulnerability information > in a timely manner to protect Symantec customers and the security > of the > Internet as a result of vulnerability. This document is available from > http://www.symantec.com/security/ > > Symantec strongly recommends using encrypted email for reporting > vulnerability information to secure@...antec.com. The Symantec Product > Security PGP key can be obtained from the location provided above.
Powered by blists - more mailing lists