Security Advisories

Details:Symantec was notified by the NMRC of file sharing parameters issues in the way our desktop firewall applications open log files. This could possibly permit an unauthorized user on the system to potentially modify or delete the firewall logs in certain Symantec personal and Internet Security firewall products. The firewall log files are opened with FILE_SHARE_READ and FILE_SHARE_WRITE share access parameters. The issue here is that another application using the appropriate Win32 API call could potentially be used to re-open the firewall log files and overwrite the firewall log entries, even though the firewall application is running. Although the application's dialog tabs will still show the proper alert entries while the application is running, once the firewall service is stopped and restarted, the log entries reflect what was overwritten.
Additionally, the default install permissions allow everyone full control. This default permission could potentially allow a non-privileged user who, while not having permission on the Service Control Manager database to stop services, could still potentially open the log files, using calls to the file sharing parameters, and make appropriate modifications to the log files to remove alerts or any indications of attempted attacks against the targeted system. Once the firewall service is stopped and restarted, the log files would reflect the modified entries.

Mitigation

Symantec Response:Symantec's Desktop Firewall, Norton Internet Security System and Norton Personal Firewall provide intrusion protection, firewall rules, and application control to protect individual PCs and small-networked systems from online threats. The sensitive information logged to the firewall log files is an important part of properly maintaining the security of the system and providing information on inbound and outbound system activity. Symantec is constantly working to upgrade the security of our products and is currently testing an update to further secure the firewall logs from any unauthorized access and modifications. This security update will be available via LiveUpdate.
Securing a user's computer from real and potential attacks by Internet threats takes a multi-tiered approach. Symantec's firewall solutions together with a leading antivirus solution such as Norton AntiVirus are complementary products and together form a comprehensive solution to online threats such as viruses and hackers. Additionally, Symantec recommends the following Best Practices to enhance protection of your systems to unauthorized access.

1. Ensure there are strong, unique passwords established for each account on the system.
2. If the system's firmware allows the setting of a password when the system is turned on, known as a BIOS or EEPROM password, enable and set the BIOS password (ensure it is unique from the account password).
3. Control physical access to the system to prevent unauthorized individuals from gaining easy access to the system.
4. Users should always practice safe computing to minimize their exposure to security risks.
5. Users should keep their patch levels for all software up-to-date and be leery of mysterious attachments/executables coming from email, user groups, etc. Users should err on the side of caution by denying access to unexpected communication attempts, not opening attachments or executables from sources they don't know, and scan all attachments with an up-to-date anti-virus product before opening, even if the sender is known.

Acknowledgements

Symantec takes the security of their products very seriously and appreciates the coordination of NMRC in identifying and providing technical details of potential areas of concern so we can quickly address the issue

References

Additional Data

Legacy ID: SYM02-001

Owner: James Terrill

Created: 22-JAN-02 12.00.00.000000000 AM

Modified: 22-JAN-02 12.00.00.000000000 AM

Classification: Norton

DetailsEdvice Security Services Ltd. tested Symantec Norton AntiVirus 2002 and reported the following behaviors:

1. It is possible to bypass Norton AntiVirus 2002 Incoming Email Protection by injecting a NULL character into the MIME message. If the NULL character appears before the virus part, then Norton AntiVirus 2002 fails to detect the virus. Embedding virus or malicious code in specific non-RFC compliant MIME formats in some instances causes Norton AntiVirus 2002 to prematurely terminate scanning, allowing infected emails to go undetected in the initial incoming scanning process.
2. Embedding malicious code in certain non-RFC compliant MIME formats in some instances causes Norton AntiVirus 2002 to prematurely terminate scanning, allowing infected e-mails to go undetected in the initial incoming scanning process.
3. There are 2 file types, .nch and .dbx, which are excluded by default from Norton AntiVirus 2002 scanning. An attacker can take either a Word macro virus or an executable file with an embedded virus, rename it with an .nch or a .dbx extension, and send it to a victim. If the victim runs Norton AntiVirus 2002, these files would be excluded from being scanned. Because Windows automatically recognizes these files, double-clicking the file executes the infected document.
4. Renaming a .doc or .exe file with an "excluded" extension could deceive Norton AntiVirus 2002 to exclude the file from being scanned. For example,
    
   Content-Type: application/msword;
   name=\"Virus.nch\" or Virus.dbx
   
   Content-Transfer-Encoding: base64
   
   Content-Disposition: attachment;
   filename=\"Virus.exe\"
   
   In this example, the victim will receive an .exe file and not an .nch file. Microsoft Outlook determines the file name using the Content-Disposition field while Norton AntiVirus 2002 excludes the file after looking at the Content-Type field. Norton AntiVirus 2002 looks at the first "name" field while Outlook presents the filename as Virus.exe. An attacker can take a macro virus (for example, Virus.exe), rename it to Virus.nch, and send it to a potential victim. If the victim is using Norton AntiVirus 2002, the virus will not be detected by the email protection feature or by the Auto-Protect feature. However, double-clicking this file will cause it to execute

Mitigation

Symantec ResponseSymantec feels that there are some basic misunderstandings concerning the impact of Edvice Security's findings. Symantec Norton AntiVirus products provide multiple-layered scanning to protect in these cases. Symantec customers are not in danger of being infected through any of these issues.

Regarding the first two issues, Symantec has confirmed that although the initial incoming scan may be bypassed in the manner described by Edvice, the Symantec Norton AntiVirus AutoProtect feature protects a system by scanning active files for viruses, Trojan horses, and worms. If malicious code is hidden in such a manner as to bypass the initial email scan, the malicious virus or code would be detected in real time by a scheduled or manual scan if the file were saved on the targeted system. Additionally, attempts to execute the malicious code would cause Symantec Auto-Protect to alert. Finally, Symantec's Script Blocking feature would further prevent any malicious scripts from running on the targeted system. That said, Symantec takes the security of its products very seriously. Symantec will have an update to address this RFC issue available via LiveUpdate shortly.

In the third issue, newsgroups use .nch files for caching and local storage while the .dbx files are the mailbox files for Microsoft Outlook Express. It is true that by renaming the file type of a malicious file to one of the excluded file types, this will bypass the initial incoming email scan. Further, by renaming a Microsoft Office document containing malicious code or macros to one of the excluded extensions, Microsoft Office will still recognize the document as a Microsoft document and execute it on the system. However, when the malicious Microsoft document is executed the Norton AntiVirus Office plug-in would scan it and alert the user to any potential malicious activity. A renamed file or a type other than a Microsoft document would not execute on the computer and, therefore, could not infect a user's computer. Symantec is reviewing the exclusion feature to respond to this type of issue.

The fourth issue is similar to the third. By renaming a file containing malicious code to one with an excluded extension and delivering it in the non-RFC compliant MIME format, Norton Antivirus' incoming email scan could be bypassed and the malicious file saved on the system as a executable file or as a Microsoft Office document. However, if an attempt is made to execute the malicious file on the computer, the file will be detected by Norton AntiVirus or by the Norton AntiVirus Office plug-in, depending on the file type, which would alert the user to any potential malicious activity. Symantec will have an update to address this RFC issue available via LiveUpdate shortly.

Symantec recommends the following Best Practices to enhance the protection of your computers from unauthorized access:

1. Keep vendor-supplied patches for all software up-to-date
2. Be wary of mysterious attachments and executables delivered from email, user groups, and so on
3. Do not open attachments or executables from unknown sources. Always err on the side of caution
4. Even if the sender is known, be wary of attachments if the sender does not explain the attachment content in the body of the email. You do not know the source of the attachment
5. If in doubt, contact the sender before opening the attachment. If still in doubt, delete the attachment without opening it

Acknowledgements

Symantec takes the security and proper functionality of its products very seriously. Symantec appreciates the coordination of Mickey Boodaei and Edvice Security Services Ltd. in identifying and providing technical details of potential areas of concern so it can quickly address the issue.

References

Additional Data

Legacy ID: SYM02-005

Owner: James Terrill

Created: 07-MAR-02 12.00.00.000000000 AM

Modified: 07-MAR-02 12.00.00.000000000 AM

Classification: Norton

DetailsSECURITY.NNOV tested Symantec Norton AntiVirus 2002 and reported that they could bypass the incoming mail scan capability by using a non-RFC compliant case in the incoming MIME header. According to SECURITY.NNOV, most mail user agents (MUA), the mail handler software that interfaces with the user, ignore the case of Content-Type and Content-Disposition headers while some content filtering software behaves in different ways to the non-RFC compliant headers. By mixing the case of the Content-Type and Content-Disposition headers as in the following example:
 

CONTENT-type: text/plain;
NAme=\"eicar.com\"

SECURITY.NNOV reported that the incoming mail scan capability in Symantec Norton AntiVirus 2002 could be bypassed

Mitigation

Symantec ResponseSymantec researched this issue and feels that there are some basic misunderstandings concerning the impact of the SECURITY.NNOV findings.

Previous issues concerning non-RFC compliant MIME headers bypassing incoming mail scanning in versions of Symantec Norton AntiVirus 2002 have been reported, analyzed and repaired. While, the non-RFC compliant MIME header reported by SECURITY.NNOV impacted earlier releases of Symantec Norton AntiVirus 2002, systems running Symantec Norton AntiVirus 2002 with the latest updates are not vulnerable to the SECURITY.NNOV issue.

Additionally, Symantec Norton AntiVirus products provide multiple-layered scanning protection. Symantec customers are not in any danger of being infected through any of the non-RFC compliant issues reported. Were malicious code to be hidden in such a manner as to bypass the initial email scan, the malicious virus or code would be detected by real-time scans if the file was saved on the targeted system. Additionally, attempts to execute the malicious code would cause Symantec Auto-Protect to alert.

That said, Symantec takes the security of its products very seriously. Ensure that you are running Symantec Norton AntiVirus 2002 with the latest updates for full protection against this issue.

Symantec recommends the following Best Practices to enhance the protection of your computers from unauthorized access:

1. Keep vendor-supplied patches for all software up-to-date.
2. Be wary of mysterious attachments and executables delivered from email, user groups, and so on.
3. Do not open attachments or executables from unknown sources. Always err on the side of caution.
4. Even if the sender is known, be wary of attachments if the sender does not explain the attachment content in the body of the email. You do not know the source of the attachment.
5. If in doubt, contact the sender before opening the attachment. If still in doubt, delete the attachment without opening it.

Acknowledgements

Symantec takes the security and proper functionality of its products very seriously. Symantec appreciates the identification of potential areas of concern so it can quickly address the issue.

References

Additional Data

Legacy ID: SYM02-006

Owner: James Terrill

Created: 03-APR-02 12.00.00.000000000 AM

Modified: 03-APR-02 12.00.00.000000000 AM

Classification: Norton

DescriptionOn 16 April, 2002, Symantec became aware of a SYN/FIN scan issue reported on SecurityFocus. By using a SYN/FIN scan, an attacker would be able to port scan a Microsoft Windows 2000 computer so that the computer responds even if Symantec Norton Personal Firewall 2002 is installed. A second reported issue states that a plain install of a Microsoft Windows 2000 system with Symantec Norton Personal Firewall 2002 installed is susceptible to a packet fragmentation denial of service (DoS) attack known as Jolt2.

Mitigation

Symantec ResponseSymantec has evaluated both issues. Although a Microsoft Windows 2000 computer can be detected through the SYN/FIN scan, Symantec Norton Personal Firewall 2002 continues to protect the computer from an actual intrusion by blocking connections to the computer.

Because Symantec takes the security of its customers very seriously, an update to Symantec Norton Personal Firewall 2002 and Symantec Norton Internet Security 2002 has been made available via Symantec's LiveUpdate to address this concern. Users of Symantec Norton Personal Firewalls running the latest updates are fully protected.

To protect users from Jolt2 DoS attacks against Microsoft Windows 2000 computers, Symantec recommends that Microsoft Windows 2000 Service Pack 1 (SP1) or later be installed. Microsoft Windows 2000 with SP1 or later is not susceptible to this problem. The latest updates for Microsoft products can be obtained from the Microsoft Windows Update site.

As a best practice, Symantec recommends keeping all operating systems and applications updated with the latest vendor patches. Keeping mission-critical systems updated with all security patches applied reduces risk exposure.

Symantec further recommends using a multi-layered approach to security. Users, at a minimum, should run both personal firewall and antivirus applications to provide multiple points of detection and protection to both inbound and outbound threats.

Acknowledgements

References

Additional Data

Legacy ID: SYM02-008

Owner: James Terrill

Created: 16-MAY-02 12.00.00.000000000 AM

Modified: 16-MAY-02 12.00.00.000000000 AM

Classification: Norton

DescriptionThe security professionals with @stake discovered a buffer overflow condition in the handling of outgoing http requests by the http filter on the Symantec Norton Internet Security 2001. During Symantec's testing this issue was found to impact the Symantec Norton Personal Firewall 2001 as well. The buffer overflow condition overwrites the first three bytes of the EDI register causing a kernel exception, resulting in a GPF on the targeted system and requiring a reboot.

The GPF is the result of improper error checking in the array allocated to store the hostname specified in the outgoing connection. By supplying an abnormally long hostname in the outgoing http request, the buffer in the http filter is overrun causing the kernel exception and the GPF.

This exception occurs whether the firewall rules permit outgoing http connections or not.

The Common Vulnerabilities and Exposures (CVE) initiative has assigned the name CAN-2002-0663 to this issue.

This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.

Mitigation

Symantec ResponseSymantec engineers verified the buffer overflow condition exists in Symantec's Norton Internet Security 2001, Symantec's Norton Personal Firewall 2001 as well as Symantec's Desktop Firewall 2.0 and 2.01. They have further determined that the GPF does not occur in the latest release of Symantec's Norton Personal Firewall 2002, Norton Internet Security 2002, Norton Internet Security 2002 Professional Edition nor the Symantec Client Security, Symantec's integrated antivirus, intrusion detection and firewall replacement for Symantec Desktop Firewall.

However, Symantec takes any product issue such as this very seriously. We are developing a patch for Symantec Norton Internet Security 2001, and Personal Firewall 2001 to address this issue. The patch will be available via LiveUpdate when completed. We are further enhancing the capabilities of future Symantec products to provide additional protection against these types of issues.

There are some circumstances that greatly mitigate the risk associated with this issue. The buffer overflow condition identified by @stake occurs only in outgoing http requests through the Symantec Norton Internet Security, Personal Firewall and Symantec Desktop Firewall product's http filter.

Any attempt to launch an attack of this nature requires the attacker to either have or be able to gain local access to the targeted system in order to initiate the http request or cause the system user, through a malicious email attachment or by directing the user to a malicious web site, to download and execute malicious code on their system.

Symantec recommends using a multi-layered approach to security. Users, at a minimum, should run both personal firewall and antivirus applications with current updates to provide multiple points of detection and protection to both inbound and outbound threats.

Users should keep vendor-supplied patches for all application software and operating systems up-to-date.

Users should further be wary of mysterious attachments and executables delivered via email.

Do not open attachments or executables from unknown sources. Always err on the side of caution.

Even if the sender is known, be wary of attachments if the sender does not explain the attachment content in the body of the email. You do not know the source of the attachment.

If in doubt, contact the sender before opening the attachment. If still in doubt, delete the attachment without opening it.

Acknowledgements

Symantec takes the security and proper functionality of our products very seriously. Symantec appreciates the coordination of Ollie Whitehouse and @stake, Inc. in identifying and providing technical details of areas of concern as well as working closely with Symantec so we could properly address the issue. Anyone with information on security issues with Symantec products should contact symsecurity@symantec.com.

References

Additional Data

Legacy ID: SYM02-011

Owner: James Terrill

Created: 15-JUL-02 12.00.00.000000000 AM

Modified: 15-JUL-02 12.00.00.000000000 AM

Classification: Norton

DetailsSymantec became aware of an issue with the functionality of the Symantec Norton AntiVirus Corporate Edition GUI help interface that allows a client user to gain privileged access to files or functionality on the local system.

When a user accesses the user interface GUI on the Norton AntiVirus Corporate Edition client, e.g., when doing a scan, either manual or scheduled; reviewing history, during real-time protection alerts, etc.; the user can request help by way of the help button in the GUI toolbar. Norton AntiVirus Corporate Edition help functionality was implemented with an interface to winhlp32, the built-in operating system help function. This interface was made to provide the user with a common interface that the user understands, is use to, and is able to implement quickly and easily.

However, there is a weakness in the way the interface was made that permits the winhlp32 functionality to assume permissions from Norton AntiVirus Corporate Edition, which by necessity runs with SYSTEM privileges, rather than retaining the limited user privileges normally assigned to the logged in user. By manipulating the winhlp32 interface the local user gains the ability to search all system files, assume full permission for all directories and files on the client system, or even add themselves to the administrative group on the local system

Mitigation

Symantec ResponseSymantec has verified that this vulnerability does exist in client applications of earlier versions of Symantec Norton AntiVirus Corporate Edition. This vulnerability has been eliminated in current versions of Symantec Norton AntiVirus Corporate Edition, version 7.5.1 Build 62 and later as well as version 7.6.1 Build 35a and later that are available for download.

While this has potential to be a serious vulnerability, there are mitigating circumstances that greatly reduce the risk of intentional or inadvertent use of this weakness in Symantec Norton AntiVirus Corporate Edition.

• The user must have a user account on the targeted system and be logged on interactively to exploit this weakness.
• This weakness cannot be exploited remotely.
• System privileges can only be gained on the local system, which normally limits the impact to the client user system.
• Access to domain controllers / administrator systems would normally be restricted to trusted Administrators only with restricted access to the physical system.

Symantec strongly recommends all users of Symantec Norton AntiVirus Corporate Edition upgrade to the latest version release to prevent potential misuse of this weakness. Please see immediately below for instructions on upgrading:
 

Platinum customersNew build downloads and product information are available on the Platinum Web site.
Gold customersInformation to download current builds (updates) will be provided only when the build is known to fix an issue that the customer is experiencing. Please have your customer ID and upgrade insurance information readily available when contacting technical support at the following number: 1-800-927-4017. Software upgrades are available only through Upgrade Insurance shipments.
Customers without Gold or Platinum supportPlease contact 1-800-927-4017 to determine if you qualify. You may still qualify for an update if verification can be made that the newer build will solve a problem on your computer.

Acknowledgements

Symantec takes the security and proper functionality of its products very seriously. Symantec appreciates the efforts of Harry Johnson, Technical Support group, Waikato University, New Zealand in identifying and providing technical details of this issue. Symantec further appreciates the efforts of ERRor of Domain HELL Team for identification of this issue as well

References

Additional Data

Legacy ID: SYM02-016

Owner: James Terrill

Created: 15-OCT-02 12.00.00.000000000 AM

Modified: 15-OCT-02 12.00.00.000000000 AM

Classification: Norton

DescriptionOn 13 January 2003, Symantec became aware of an issue originally reported on BugTraq. By sending an excessively large echo request, a crash can occur on a Windows 2000 or Windows XP system with Symantec Norton Personal Firewall 2003 installed

Mitigation

Symantec ResponseSymantec engineers have evaluated and verified that this issue exists for Symantec's Norton Personal Firewall 2003, Symantec's Norton Internet Security 2003 as well as Symantec's Norton Internet Security 2003 Professional Edition. Sending this excessively large echo request results in the overflow of an internal buffer and causes a crash of the system. This issue does not occur on systems running Windows 9x, Windows ME or Windows NT.

Symantec takes any product issue such as this very seriously. We have developed an update for Symantec Norton Personal Firewall 2003, Symantec Norton Internet Security 2003 and Symantec Norton Internet Security 2003 Professional Edition to address this issue. The update is now available via LiveUpdate.

There are some circumstances that greatly mitigate the risk associated with this issue. In this instance, the system is attempting to send an excessively large echo request. Any attempt to do this requires either local access to the targeted system to initiate the request or malicious code that initiates the request is downloaded and executed on the target system.

As a best practice, Symantec recommends keeping all operating systems and applications updated with the latest vendor patches. Keeping mission-critical systems updated with all security patches applied reduces risk exposure. Symantec further recommends using a multi-layered approach to security. Users, at a minimum, should run both personal firewall and antivirus applications to provide multiple points of detection and protection to both inbound and outbound threats.

Users should further be wary of mysterious attachments and executables delivered via email. Do not open attachments or executables from unknown sources. Always err on the side of caution. Even if the sender is known, be wary of attachments if the sender does not explain the attachment content in the body of the email. You do not know the source of the attachment. If in doubt, contact the sender before opening the attachment. If still in doubt, delete the attachment without opening it

Acknowledgements

References

Additional Data

Legacy ID: SYM03-001

Owner: James Terrill

Created: 17-JAN-03 12.00.00.000000000 AM

Modified: 17-JAN-03 12.00.00.000000000 AM

Classification: Norton

DescriptionOn December 26, 2002, Symantec became aware of an issue originally reported by the Security Net Services (SNS) security research group. By receiving a compressed zip file attachment with an excessively long file name, a buffer overflow can lead to arbitrary code in the security context of the user currently logged onto the target system.

Mitigation

Symantec ResponseSymantec engineers have evaluated and verified that this issue exists for Symantec's Norton AntiVirus 2002. Newer versions such as of Norton AntiVirus 2003 are not affected by this issue.

Symantec takes any product issue such as this very seriously. We have developed an update for Symantec Norton AntiVirus 2002 to address this issue. The update is now available via LiveUpdate. Localized versions of the patch are being worked on.

As a best practice, Symantec recommends keeping all operating systems and applications updated with the latest vendor patches. Keeping mission-critical systems updated with all security patches applied reduces risk exposure. Symantec further recommends using a multi-layered approach to security. Users, at a minimum, should run both personal firewall and antivirus applications to provide multiple points of detection and protection to both inbound and outbound threats.

Users should further be wary of mysterious attachments and executables delivered via email. Do not open attachments or executables from unknown sources. Always err on the side of caution. Even if the sender is known, be wary of attachments if the sender does not explain the attachment content in the body of the email. You do not know the source of the attachment. If in doubt, contact the sender before opening the attachment. If still in doubt, delete the attachment without opening it.

Acknowledgements

Symantec appreciates the support of Little eArth Corporation Co., Ltd (LAC), Japan. For information about their SecureNet Service advisories, visit their Web site

References

Additional Data

Legacy ID: SYM03-002

Owner: James Terrill

Created: 28-FEB-03 12.00.00.000000000 AM

Modified: 28-FEB-03 12.00.00.000000000 AM

Classification: Norton

DescriptionThis issue was posted to Bugtraq on June 24, 2003 by Pal Juvancz of the Department of Public Works in Queensland, Australia.
 

Mitigation

Symantec ResponseThe issue was identified, reproduced and corrected with NAV CE 7.61 build 37b, with symevent 10.3.2.10. All subsequent builds work as designed. The customer verified that the problem was fixed and was upgraded to the latest release (8.01).

Acknowledgements

References

Additional Data

Legacy ID: SYM03-004

Owner: James Terrill

Created: 01-JUL-03 12.00.00.000000000 AM

Modified: 01-JUL-03 12.00.00.000000000 AM

Classification: Norton

DescriptionA vulnerability has been discovered in the Auto-protect component of Norton AntiVirus. Users with access to a system can craft a buffer, send it to Auto-Protect and cause the system to crash. Exploit code has been created as a proof on concept for this vulnerability.

Symantec considers this to be a low to medium threat. Access to the system must be obtained before the vulnerability can be exploited.

Mitigating the risk - Microsoft Windows systems ship with the guest user account activated. It is recommended that the system administrator or user disable or at least password protect this account. Some level of system access is required to exploit the vulnerability. By restricting access to the system running vulnerable code will substantially reduce the risk from this and many other vulnerabilities.
As is always recommended for security, users are encouraged to not grant system access to non-trusted people. Reasonable caution should also be exercised when opening email attachments, downloading and running executables, or other similar type activities from the Internet.

Mitigation

Symantec ResponsePatches that address this vulnerability are available for Symantec AV 8.01 build 446, Symantec AV 8.1 build 825, NAVCE 7.61 build 46a and NAVCE 7.61 build 50.

Note: Symantec AV 8.01 build 457 and Symantec AV 8.11 build 314 and later have incorporated this fix and do not need to be patched.

Installing the patchTwo versions of the patch are available for each of Symantec AV versions 8.01 build 446, Symantec AV 8.1 build 825, NAVCE 7.61 build 46a and NAVCE 7.61 build 50. For Windows 95, 98 and Me, use the version whose file name ends with "Win9x.zip." For Windows NT, 2000, XP, and 2003 servers and clients, use the version whose file name ends with "only.zip." The patch consists of a single executable to be run on each computer.

Note: For Windows NT, 2000, XP, and 2003, you must be logged in as the local administrator account to apply the patch.
After the patch for Windows 9x/Me clients finishes, a prompt to restart the computer appears. This restart is mandatory. Windows NT, 2000, XP and 2003 clients and servers do not require a restart.

Patches for Symantec AV 8.01 build 446:NAVAP-Patch8.01b446_only.zip   NAVAP-Patch8.01b446_only-Win9x.zip

Patches for Symantec AV 8.1 build 825:NAVAP-Patch8.1b825_only.zip   NAVAP-Patch8.1b825_only-Win9x.zip

Patches for NAVCE 7.61 build 50:NAVAP-Patch7.6b50_only.zip   NAVAP-Patch7.6b50_only-Win9x.zip

Patches for NAVCE 7.61 build 46a:NAVAP-Patch7.6b46a_only.zip   NAVAP-Patch7.6b46a_only-Win9x.zip

Note: If you have a version of Symantec AV or NAVCE that is not one of the specific builds listed, you cannot install the patch. For information on obtaining the specified builds, read the document How to obtain an update or an upgrade for your Symantec corporate product

Acknowledgements

References

Additional Data

Legacy ID: SYM03-006

Owner: James Terrill

Created: 08-AUG-03 12.00.00.000000000 AM

Modified: 08-AUG-03 12.00.00.000000000 AM

Classification: Norton

DescriptionSymantec's Norton Internet Security blocks inappropriate web content to help parents keep their children safe from inappropriate material while online. The Norton Parental Control blocks access to newsgroups and Web sites that may not be suitable for children. When a link is accessed or followed to one of the sites on the blocked list, Norton Internet Security returns a message stating that the site is restricted and has been blocked. The returned message includes the URL of the restricted site and is presented in a separate browser window Norton Internet Security opens on the client system. Digital Pranksters reported that they were able to supply a URL from a blocked site that contained an additional unauthorized script embedded in the URL. This script displayed in the blocked access message window on the client system.

Mitigation

Symantec ResponseSymantec has verified this issue. There is a bug in the way Norton Internet Security is validating the content it returns in the informational page. This is being fixed and will be forthcoming in a future LiveUpdate to Norton Internet Security products.

The risk presented by this bug is very low to non-existent. Any unauthorized script returned in the blocked site URL runs in the context of the informational window that Norton Internet Security opens on the client system. This is a very restricted environment providing no access to the client system outside of the display window or any unauthorized information from the client system to be sent out. While it presents little risk to the client system, it is unwarranted action that is being addressed.

Symantec takes any potential security issues with Symantec products very seriously. While the issue described by the Digital Pranksters applies only to the subset of Web sites contained in the Norton Internet Security Block Site list, there are many other malicious Web sites on the Internet and many ways of enticing a careless surfer to visit such a site. Symantec recommends the following best practices as part of a normal security posture:

• Keep vendor-supplied security patches and updates for all application software and operating systems current.
• Run current Anti-Virus/Firewall applications and keep the definitions updated. Systems should be scanned on a regular basis.
• Be wary of attachments delivered via email. Especially ones with .vbs, .bat, .exe, .pif and .scr file extensions that are commonly used to spread viruses, worms, and trojans.
• Even if the sender is known, users should be wary of attachments or unknown files if the sender does not thoroughly explain the content in the body of the email. The source of the original attachment is often unknown.
• If in doubt, users should contact the sender before opening the attachment or downloading the file to see if, in fact, they did intend to send it. If there is still doubt, users should delete the document in question without opening it.
• If you intend to download an attachment, download to a separate folder and scan prior to opening.
• Practice safe surfing.

Acknowledgements

Symantec takes the security and proper functionality of our products very seriously. Symantec appreciates the coordination of Digital Pranksters security team in identifying and providing details of this area of concern as well as working closely with Symantec to properly address the issue

References

Additional Data

Legacy ID: SYM03-007

Owner: James Terrill

Created: 27-OCT-03 12.00.00.000000000 AM

Modified: 27-OCT-03 12.00.00.000000000 AM

Classification: Norton

DetailsSymantec was alerted to remote access vulnerabilities that NGSsoftware discovered while evaluating Symantec Norton Internet Security 2004 and Symantec Norton AntiSpam 2004. Symantec Norton Internet Security and Symantec Norton AntiSpam 2004 contain ActiveX components that do not properly validate/parse external input. A malicious individual could potentially exploit these weaknesses to launch a local application on the target system and possibly run arbitrary code of their choice on the local system with elevated privileges.

To do this successfully, the attacker would need to either entice the targeted user to visit a location where the malicious code could be launched or to download and launch the malicious code on their system. Successful execution of these security issues could result in compromise of the targeted system.

The Common Vulnerabilities and Exposures (CVE) initiative has assigned the following Candidate names to these issues:

The Symantec Norton AntiSpam issue has been assigned CAN-2004-0363

The Symantec Norton Internet Security issue has been assigned CAN-2004-0364

These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.

Mitigation

Symantec ResponseSymantec verified the issue reported by NGSsoftware for Symantec Norton AntiSpam 2004 and Symantec Norton Internet Security 2004 and released a fix via Symantec LiveUpdate. Additional review determined the issue NGSsoftware reported for Symantec Norton Internet Security 2004 also impacted additional versions of Symantec Client Firewall products. Symantec product engineers developed fixes for the issue and released patches for all impacted products through Symantec LiveUpdate and technical support channels.

To update retail products via Symantec LiveUpdate, users should:

• Open any installed Symantec product
• Click on LiveUpdate in the toolbar
• Run LiveUpdate until all available Symantec product updates are downloaded and installed

Customers running Symantec Client Firewall or Symantec Client Security should download and apply patches obtained through their appropriate support channels.

Symantec is not aware of any active attempts against or customer impact from this issue.

As a part of normal best practices, Symantec recommends using a multi-layered approach to security. Users, at a minimum, should run both personal firewall and antivirus applications with current updates to provide multiple points of detection and protection to both inbound and outbound threats.

Users should keep vendor-supplied patches for all application software and operating systems up-to-date.

Users should further be wary of mysterious attachments and executables delivered via email and be wary of visiting unknown/untrusted websites.

Do not open attachments or executables from unknown sources. Always err on the side of caution.

Even if the sender is known, be wary of attachments if the sender does not fully explain the attachment content in the body of the email. You do not know the source of the attachment.

If in doubt, contact the sender before opening the attachment. If still in doubt, delete the attachment without opening it.

Acknowledgements

Symantec appreciates the cooperation of Mark Litchfield and the NGSsoftware research team in identifying these issues

References

Additional Data

Legacy ID: SYM04-005

Owner: James Terrill

Created: 19-MAR-04 12.00.00.000000000 AM

Modified: 19-MAR-04 12.00.00.000000000 AM

Classification: Norton

DetailsLAC notified Symantec of a vulnerability in an ActiveX control used in Symantec Norton AntiVirus 2004. The ActiveX control does not properly verify/validate external input. A malicious individual could potentially exploit this control to launch arbitrary executables of the attacker's choice with user privileges. The vulnerability could also be used to launch an unauthorized URL (pop-up) on the system; or, create a DoS situation causing the Symantec Norton AntiVirus application to freeze.

To successfully launch an executable, the executable program would have to already exist on the local system and the location of the executable known to the attacker. This could limit the potential impact of this type of attack. In all of these types of attacks, the attacker would need to either entice the targeted user to visit a location where the malicious script could be launched or to download and launch the malicious script on their system.

The Common Vulnerabilities and Exposures (CVE) initiative has assigned CVE Candidate name CAN-2004-0487 to this issue.

This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems

Mitigation

Symantec ResponseSymantec verified the issues LAC reported in Symantec Norton AntiVirus 2004. Symantec product engineers have developed a fix and released patches for all impacted product versions through Symantec's LiveUpdate.

Symantec recommends all users of Symantec Norton AntiVirus 2004 update immediately to apply this fix.

Symantec users who normally run manual LiveUpdates will already be protected. However, to ensure all available patches have been properly applied to Symantec products, users should run a manual LiveUpdate as follows:

• Open any installed Symantec product
• Click on LiveUpdate in the toolbar
• Run LiveUpdate until all available Symantec product updates are downloaded and installed

Symantec is not aware of any active exploits for or customer impact from this issue.

As a part of normal user best practice, Symantec recommends a multi-layered approach to security.

Users, at a minimum, should run both a personal firewall and antivirus application with current updates to provide multiple points of detection and protection to both inbound and outbound threats.

Users should keep vendor-supplied patches for all application software and operating systems up-to-date.

Users should be cautious of mysterious attachments and executables delivered via email and be cautious of visiting unknown/untrusted websites or opening unknown URL links.

Do not open unidentified attachments or executables from unknown sources or that you didn't request or were unaware of. Always err on the side of caution. Even if the sender is known, the source address may be spoofed.

If in doubt, contact the sender to confirm they sent it and why before opening the attachment. If still in doubt, delete the attachment without opening it.

Acknowledgements

Symantec appreciates the cooperation of Yuu Arai and the Little eArth Corporation security research team in identifying these issues

References

Additional Data

Legacy ID: SYM04-009

Owner: James Terrill

Created: 20-MAY-04 12.00.00.000000000 AM

Modified: 20-MAY-04 12.00.00.000000000 AM

Classification: Norton

DetailsiDefense reported a problem with Symantec's Norton AntiVirus consumer products in effectively scanning files and directories with MS-DOS reserved device names. Device names such as COM1, CON or LPT1 are reserved words, and not intended to be used as directory or file names. In fact, in the early MS-DOS and Win 3.x days, they could not be used as directory or file names. However there are currently ways to create directories or files in Win32 systems using reserved device names that could contain potentially malicious code. Symantec Norton AntiVirus consumer products currently do not consistently scan these types of files during automatic and manual scans. To get such a maliciously configured file on a target system, the attacker would need to either entice the targeted user to visit a location where the malicious file could be downloaded to the target system or have access to the target system to upload or transfer the malicious file.

The Common Vulnerabilities and Exposures (CVE) initiative has assigned CVE Candidate name CAN-2004-0920 to this issue.

This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.

Mitigation

Symantec ResponseSymantec engineers have thoroughly tested this issue on all supported Symantec Norton AntiVirus consumer products. All Symantec Norton AntiVirus consumer products successfully scan incoming email files with MS-DOS reserved device names to detect malicious content. However, scanning of files with MS-DOS reserved device names residing on a system was inconsistent.Symantec engineers have developed a fix for this issue for Symantec Norton AntiVirus 2004 that is currently available through LiveUpdate. The fix is being incorporated into all other supported Symantec Norton AntiVirus versions and will be available through LiveUpdate when fully tested and released. Symantec is not aware of any active exploits for or customer impact from this issue.

As a part of normal user best practice, Symantec highly recommends a multi-layered approach to security.

• Users, at a minimum, should run both a personal firewall and antivirus application with current updates to provide multiple points of detection and protection to both inbound and outbound threats.
• Users should keep vendor-supplied patches for all application software and operating systems up-to-date.
• Users should be cautious of mysterious attachments and executables delivered via email and be cautious of visiting unknown/untrusted websites or opening unknown URL links.
• Do not open unidentified attachments or executables from unknown sources or that you didn't request.
• Always err on the side of caution. Even if the sender is known, the source address may be faked.
• If in doubt, contact the sender to confirm they sent the attachment and why before opening the attachment. If still in doubt, delete the attachment.

Acknowledgements

Symantec appreciates the cooperation of the iDefense research team in identifying this issue and coordinating with Symantec in the resolution process

References

Additional Data

Legacy ID: SYM04-015

Owner: James Terrill

Created: 05-OCT-04 12.00.00.000000000 AM

Modified: 05-OCT-04 12.00.00.000000000 AM

Classification: Norton

DetailsA posting to the Bugtraq mailing list reported an issue with Symantec's Norton AntiVirus 2004. The poster reported that he could defeat the script blocking capability in Symantec Norton AntiVirus 2004 by running a malicious VBS script on the target system that kills the Auto-Protect capability. By running his script on the target system, the poster reported he was able to terminate the running Auto-Protect process, and kill the Auto-Protect feature of Symantec's Norton AntiVirus 2004 product. According to the poster, terminating the running Auto-Protect process could leave the targeted system vulnerable to additional malicious code attacks.
 

Mitigation

Symantec ResponseSymantec engineers have thoroughly tested this issue on all supported Symantec Norton AntiVirus consumer products.

There is some basic misunderstanding in the posting about what impact killing the running Auto-Protect process has on Symantec's Auto-Protect functionality. Terminating CCApp.exe, as the poster states, will cause the Norton AntiVirus icon in the system tray to disappear and, will disable the user notifications regarding Auto-Protect actions, a very low risk denial of service. But, the user's system continues to be protected by the underlying Auto-Protect capability. The protection profile of the Symantec Norton AntiVirus application is not affected.

Were a user to download malicious code to a system while the CCApp.exe process is terminated in this manner, the user would not receive an Auto-Protect alert pop-up notification. However, the malicious code would be detected by Symantec's Norton AntiVirus Auto-Protect function and would be prevented from being written to file or executed on the targeted system. The Auto-Protect notifications and the system tray icon can be easily restored by:

• going to start =>Programs=>and opening Symantec Norton AntiVirus which kicks off the Auto-Protect running process
• or, when the system is rebooted

Although this is a very low risk issue, Symantec takes the security and functionality of their products very seriously. Symantec product engineers are currently investigating alternatives to address this issue. A resolution to this minimal disruption for Symantec's 2005 product versions has been completed. The update can be obtained through technical support from this location.

As a part of normal user best practices, Symantec highly recommends a multi-layered approach to security.

• At minimum, run both a personal firewall and antivirus application with current updates to provide multiple points of detection and protection to both inbound and outbound threats.
• Keep vendor-supplied patches for all application software and operating systems up-to-date.
• Exercise caution when visiting unknown/untrusted websites or opening unknown URL links.
• Do not open unidentified attachments or executables from unknown sources or that you didn't request.
• Always err on the side of caution. Even if the sender is known, the source address may be faked.
• If in doubt, contact the sender to confirm they sent the attachment and why before opening the attachment. If still in doubt, delete the attachment.

Acknowledgements

References

Additional Data

Legacy ID: SYM04-016

Owner: James Terrill

Created: 10-NOV-04 12.00.00.000000000 AM

Modified: 10-NOV-04 12.00.00.000000000 AM

Classification: Norton

Of particular importance to Symantec products and Symantec customers is the portion of the MS04-028 bulletin that states "Not every program that installs this file is vulnerable to this issue because it may not use the gdiplus.dll file to process JPEG images. Even when the third-party application uses the gdiplus.dll file to process JPEG images it may not do so in a vulnerable way. For example if an application does not allow users to supply images for processing or performs additional validation on the images before processing, it may not be vulnerable."

Some Symantec retail products use classes within the Symantec-installed gdiplus.dll for drawing purposes, font display, etc. as well as, in some instances, to display dedicated images extracted from Symantec-installed resource libraries. Symantec products do NOT use the Symantec-installed version of gdiplus.dll to render user-supplied JPEG images.

While not vulnerable to exploitation attempts described in Microsoft's Bulletin MS04-028, Symantec initiated an update program during normal maintenance to upgrade the gdiplus.dll version installed with our affected products to the latest gdiplus.dll release available. Once fully certified and thoroughly tested the applicable updates were posted for download via Symantec LiveUpdate.

Mitigation

Symantec customers who regularly run Symantec LiveUpdate should already be updated to the current gdiplus.dll in most affected products. However, the Symantec gdiplus.dll update requires a current version of Symantec Windows LiveUpdate to download and install properly on some of the affected products. The current version of Symantec Windows LiveUpdate is version 2.6 that is available for download from the Symantec technical support site at http://www.symantec.com/techsupp/files/lu/lu.html.

To determine your version of Symantec LiveUpdate:

• Open any Symantec product installed on your system that uses LiveUpdate, e.g., Symantec SystemWorks 2005
• Click on LiveUpdate in the toolbar
• Click on the LiveUpdate system menu to see the drop-down selections
• Click on "About LiveUpdate" to determine the version of LiveUpdate running

If you are running a version of Symantec LiveUpdate prior to v2.6, you should download Symantec Windows LiveUpdate v2.6 from the support site indicated above to upgrade your system to the latest release of Symantec Windows LiveUpdate.

The Symantec LiveUpdate upgrade may require a restart of your system to properly initialize the updated version. Continue to run Symantec LiveUpdate until LiveUpdate indicates that all installed products are up-to-date.

As a part of normal user best practice, Symantec highly recommends a multi-layered approach to security to ensure a strong security profile.

• Users, at a minimum, should run both a personal firewall and antivirus application with current updates to provide multiple points of detection and protection to both inbound and outbound threats.
• Users should keep vendor-supplied patches for all application software and operating systems up-to-date.
• Users should be cautious of mysterious attachments and executables delivered via email and be cautious of visiting unknown/untrusted websites or following unknown URL links.
• Do not open unidentified attachments or executables from unknown sources or that you did not request.
• Always err on the side of caution. Even if the sender is known, the source address may be faked.
• If in doubt, contact the sender to confirm they sent the attachment and why before opening the attachment. If still in doubt, delete the attachment.

Acknowledgements

References

Additional Data

Legacy ID: SYM05-002

Owner: James Terrill

Created: 18-JAN-05 12.00.00.000000000 AM

Modified: 18-JAN-05 12.00.00.000000000 AM

Classification: Norton

DetailsIssue One:
JPCERT reported a DoS, impacting Symantec Norton AntiVirus 2004 and 2005 products, that occurs when the Auto-Protect module of Symantec Norton AntiVirus scans a specific file type.

Symantec Auto-Protect module loads in Windows as a virtual device driver. Running in the background, Auto-Protect scans files for viruses, Trojan, and worms. Auto-Protect scans any files that are received from any source, such as the Internet, removable disks, or email attachments and scans any time that files are accessed, such as when a file is copied, moved, run, or opened. Auto-Protect intercepts any run, open, or create activity and scans the file before allowing the action to continue.

In the issue, when Auto-Protect was invoked to scan a particular file type, e.g. introduced on a CD, copied and pasted into the system, etc., the resultant scan caused the system to hang and generate a general protection fault error, or BSOD requiring a system reboot to clear.

Issue Two:
IPA reported a DoS problem that impacts Symantec Norton AntiVirus 2005 products and only when the SmartScan feature of AutoProtect is enabled.

SmartScan was developed as an alternative to the "scan all files" feature of NAV Auto-Protect and Manual Scan. SmartScan scans a specific group of file extensions as well as all .exe and .doc files. SmartScan will scan .exe and .doc files even if the file extensions for the .exe and .doc files have been changed.

In this instance, under certain circumstances with SmartScan enabled, renaming a file stored on a network share can induce a system crash when the modification kicks off SmartScan. Based on the file write for the name change, SmartScan will be invoked to scan the file, which can result in excess CPU consumption and ultimately a system crash.

CVEA CVE candidate number will be requested from The Common Vulnerabilities and Exposures (CVE) initiative. This advisory will be revised as required once the CVE candidate number has been assigned. This issue is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.

Mitigation

Symantec ResponseSymantec product engineers confirmed both issues impacting Symantec’s Auto-Protect feature in Symantec Norton AntiVirus and have developed and released a patch for all impacted products through Symantec LiveUpdate. Customers running Automatic LiveUpdate should already be updated.
To manually update via Symantec LiveUpdate, users should:

• Open any installed Symantec product
• Click on LiveUpdate in the toolbar
• Run LiveUpdate until all available Symantec product updates are downloaded and installed

Symantec is unaware of any adverse customer impact from either of these issues

Acknowledgements

Symantec would like to thank Mr. Isamu Noguchi, who initially identified both issues, for reporting them to the Information-Technology Promotion Agency-Japan and JPCERT. Symantec further thanks IPA and JPCERT for providing the coordination while Symantec resolved the issues

References

Additional Data

Legacy ID: SYM05-006

Owner: James Terrill

Created: 28-MAR-05 12.00.00.000000000 AM

Modified: 28-MAR-05 12.00.00.000000000 AM

Classification: Norton

DetailsThe DiskMountNotify component of Symantec Norton AntiVirus for Macintosh does not set its execution path environment. A non-privileged user can change their execution path environment. If the user then executes the DiskMountNotify component, it will inherit the changed environment and use it to locate system commands. The DiskMountNotify is configured to run with System Administrative privileges (SUID) and is vulnerable to a potential Trojan horse attack.

The Common Vulnerabilities and Exposures (CVE) initiative has assigned CVE Candidate CVE-2005-3270 to this issue.

This issue is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.

Mitigation

Symantec ResponseA patch has been created and made available for all affected version of the product through Symantec LiveUpdate.

To perform a manual update using Symantec LiveUpdate, users should:

• Open any installed Symantec product
• Click on LiveUpdate in the toolbar
• Run LiveUpdate until all available Symantec product updates are downloaded and installed

Symantec is not aware of any active attempts against or customers impacted by this issue.

As a part of normal best practices, users should keep vendor-supplied patches for all application software and operating systems up-to-date. Symantec strongly recommends any affected customers update their product immediately to protect against these types of threats.

Acknowledgements

Symantec thanks iDefense, for notification of this issue and coordinating disclosure as it was resolved

References

Additional Data

Legacy ID: SYM05-020

Owner: James Terrill

Created: 19-OCT-05 12.00.00.000000000 AM

Modified: 19-OCT-05 12.00.00.000000000 AM

Classification: Norton

DetailsThe NProtect directory is used to store temporary copies of files that the user has deleted or modified. This feature supplements the Windows Recycle Bin, creating a temporary backup of certain types of files that the Windows Recycle Bin does not back up. The Norton Protected Recycle Bin allows the user to recover these protected files if they are accidentally deleted.

NProtect is hidden from the Windows FindFirst/FindNext APIs. Since the hidden directory is not visible to Windows, files in the directory might not be scanned during scheduled or manual virus scans. Files in the NProtect directory are scanned by on-access scanners like Symantec's Auto-Protect, and by the on-access scanners of other vendors' products.

When NProtect was first released, hiding its contents helped ensure that a user would not accidentally delete the files in the directory. In light of current techniques used by malicious attackers, Symantec has re-evaluated the value of hiding this directory. We have released an update that will make the NProtect directory visible inside the Windows Recycler directory. With this update, files within the NProtect directory will be scanned by scheduled and manual scans as well as by on-access scanners like Auto-Protect.

The NProtect directory will continue to function as it always has, and users will continue to have the ability to enable or disable the feature through the Norton Protected Recycle Bin user interface.

Mitigation

Symantec ResponseSymantec product engineers have developed and released an update for products affected by this exposure. The update is available through Symantec LiveUpdate by running a manual update. To manually update via Symantec LiveUpdate, users should:

• Open Norton SystemWorks
• Click on LiveUpdate
• Run LiveUpdate until all available Symantec product updates are downloaded and installed

This update will require a system reboot.

Symantec is not aware of any attempts by hackers to conceal malicious code in the NProtect folder. This update is provided proactively to eliminate the possibility of that type of activity.

As a part of normal best practices, users should keep vendor-supplied patches for all application software and operating systems up-to-date. Symantec recommends customers update their products to protect against any probability of this type of threat.

Acknowledgements

Symantec would like to thank Mark Russinovich of Sysinternals (www.sysinternals.com) and the F-Secure Blacklight team (www.f-secure.com/blacklight/) for their cooperation in working with us on this issue

References

Additional Data

Legacy ID: SYM06-001

Owner: James Terrill

Created: 10-JAN-06 12.00.00.000000000 AM

Modified: 10-JAN-06 12.00.00.000000000 AM

Classification: Norton

DetailsSymantec was alerted to a stack overflow and information disclosure vulnerabilities that Next Generation Security Research (NGSS) discovered in a Symantec-developed ActiveX control, installed as a part of Symantec’s Automated Support Assistant and with some of Symantec’s consumer products (indicated above). This ActiveX control failed to properly validate external input. This failure could potentially result in a browser crash or, possibly unauthorized use of methods allowing access to system information as well as a stack overflow with the potential for malicious code execution in the context of the user’s browser.

The impact of this threat is considerably lessened as it requires interactive user involvement as well as an attacker’s successful spoofing of a trusted domain website in any attempt to compromise the targeted system. The ActiveX control identified is restricted to specific trusted websites in which it can be scripted. To exploit successfully, an attacker would need to be able to effectively masquerade as the authorized site and entice a user to click on their specific URL for the malicious code to successfully impact the customer’s system.

This issue is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. The CVE identifier assigned to this issue is CVE-2006-5403

Mitigation

Symantec ResponseSymantec product engineers have developed and released solutions for this issue through Symantec's LiveUpdate and other venues.

Symantec users who normally run regular manual LiveUpdates will already be protected. However, to ensure all available patches have been properly applied to Symantec products, users should run a manual LiveUpdate as follows:

• Open any installed Symantec consumer product identified above
• Click on LiveUpdate in the toolbar
• Run LiveUpdate until all available Symantec product updates are downloaded and installed

Symantec product engineers have upgraded the current vulnerable component on the Symantec support website so users will be able to download a non-vulnerable version of the Automated Support Assistant.

Customers who may have previously downloaded the support tool or users who have installed the consumer products identified above can go to the support site, https://www-secure.symantec.com/techsupp/asa/install.jsp and download a new version of the Automated Support Assistant. By downloading a new version, the legacy tool will be replaced by an updated, non-vulnerable version.

Symantec recommends all customers apply all updates to protect against threats of this nature.

Symantec knows of no exploitation of or adverse customer impact from these issues.

MitigationSymantec Security Response has also developed a removal tool to assist in removing legacy versions of the at risk control. The removal tool is located here
(http://www.symantec.com/home_homeoffice/security_response/removaltools.jsp).

IDS signatures have been developed to detect and block any attempts to exploit this issue.

Customers using Symantec Norton Internet Security or Norton Personal Firewall will receive signature updates if they run LiveUpdate automatically. If not, Symantec recommends customers manually run Symantec LiveUpdate regularly to ensure they have the most current protection available. Internet zone settings for the local user may prohibit activation of ActiveX controls without their consent. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system would be less impacted than users who operate with administrative user rights in the event of any attempted compromise.

As always, if previously unknown malicious code were to be distributed in this manner, Symantec Security Response will quickly react and send updated definitions via LiveUpdate to detect and block any new threat.

Best PracticesAs part of normal best practices, Symantec strongly recommends a multi-layered approach to security:

• Run under the principle of least privilege where possible.
• Keep all operating systems and applications updated with the latest vendor patches.
• Users, at a minimum, should run both a personal firewall and antivirus application with current updates to provide multiple points of detection and protection to both inbound and outbound threats.
• Users should be cautious of mysterious attachments and executables delivered via email and be cautious of browsing unknown/untrusted websites or opening unknown/untrusted URL

Acknowledgements

Symantec thanks John Heasman of Next Generation Security Research for reporting this finding to us and for excellent coordination while resolving this issue.

References

Additional Data

Legacy ID: SYM06-019

Owner: James Terrill

Created: 05-OCT-06 12.00.00.000000000 AM

Modified: 05-OCT-06 12.00.00.000000000 AM

Classification: Norton

DetailsSymantec was initially alerted by Next Generation Security Software (NGSS), to stack overflow and unauthorized access vulnerabilities identified in two SupportSoft ActiveX controls, SmartIssue tgctlsi.dll and ScriptRunner tgctlsr.dll, that Symantec signed and shipped with some of Symantec's 2006 consumer products and used by the Symantec Automated Support Assistant support tool Symantec provides on its consumer support site. These SupportSoft ActiveX components did not properly validate external input. This failure could potentially lead to unauthorized access to system resources or the possible execution of malicious code with the privileges of the user's browser, resulting in a potential compromise of the user's system.
Any attempt to exploit these issues would require interactive user involvement. An attacker would need to be able to effectively entice a user to visit a malicious web site where their malicious code was hosted or to click on a malicious URL in any attempt to compromise the user's system. While these SupportSoft-developed components should also have been effectively site-locked, which would have further reduced the severity, this capability was found to be improperly implemented in the vulnerable versions.

A CVE Candidate CVE-2006-6490 has been assigned. This issue is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.

Mitigation

Symantec ResponseSymantec worked closely with SupportSoft to ensure updates were quickly made available for the identified controls. SupportSoft has posted a Security Bulletin for the controls Symantec uses and controls used in other products on their support site, www.supportsoft.com.

Symantec immediately removed the vulnerable controls from its consumer support site. Symantec engineers tested the updates provided by SupportSoft extensively and once tested updated the Symantec Automated Support Assistant on Symantec's support site. Additionally, in November 2006, the vulnerable versions of these controls were disabled through LiveUpdate for Symantec consumer customers who regularly run interactive updates to their Symantec applications. Those Symantec consumer customers who rely solely on Automatic LiveUpdate would have received an automatic notification to initiate an interactive LiveUpdate session to obtain all pending updates. To ensure all updates have been properly retrieved and applied to Symantec consumer products, users should regularly run an interactive LiveUpdate session as follows:

• Open any installed Symantec consumer product
• Click on LiveUpdate in the GUI toolbar
• Run LiveUpdate until all available Symantec product updates are downloaded and installed or you are advised that your system has the latest updates available.

Symantec recommends customers always ensure they have the latest updates to protect against threats.

Symantec customers who previously downloaded the Symantec Automated Support Assistant tool beginning in July 2005 and those who have installed versions of the consumer products indicated above may also go to the Symantec support site, https://www-secure.symantec.com/techsupp/asa/install.jsp to ensure they have the updated version of the Automated Support Assistant fix tool. By downloading the updated version of the Symantec Automated Support Assistant fix tool, any existing legacy controls are updated with non-vulnerable versions. Customers, who have received support assistance since August 2006, will already have the latest non-vulnerable versions of these controls.

Symantec has not seen any active attempts against or customer impact from these issues.

MitigationSymantec Security Response is releasing an AntiVirus Bloodhound definition Bloodhound.Exploit.119, a heuristic detection and prevention for attempts to exploit these vulnerable controls. Virus definitions containing this heuristic will be available through Symantec LiveUpdate or Symantec's Intelligent Updater.

IDS signatures have also been released to detect and block attempts to exploit this issue.

Customers using Symantec Norton Internet Security or Norton Personal Firewall receive regular signature updates if they run LiveUpdate automatically. If not using the Automatic LiveUpdate function, Symantec recommends customers interactively run Symantec LiveUpdate frequently to ensure they have the most current protection available.
Establishing more secure Internet zone settings for the local user can prohibit activation of ActiveX controls without the user's consent.
An attacker who successfully exploited this vulnerability could gain the user rights of the local user. Users whose accounts are configured to have fewer user rights on the system would be less impacted than users who operate with administrative privileges.

As always, if previously unknown malicious code were attempted to be distributed in this manner,

Acknowledgements

Symantec has coordinated very closely with SupportSoft to help ensure that all additional affected vendor customer bases has been provide with information concerning affected controls and updates to address the vulnerability. Symantec wants to thank Mark Litchfield of NGS Software Ltd. for the initial identification and notification of this issue and for the excellent, in-depth coordination with both Symantec and SupportSoft while resolving the issue. Additionally, this issue was independently identified by the analysts at CERT , in CERT Vulnerability Note VU#441785, who reported their findings to and worked closely with both Symantec and SupportSoft through to resolution and by Peter Vreugdenhil, working through iDefense who coordinated with Symantec as we resolved the issue

References

Additional Data

Legacy ID: SYM07-002

Owner: James Terrill

Created: 22-FEB-07 12.00.00.000000000 AM

Modified: 22-FEB-07 12.00.00.000000000 AM

Classification: Norton

DetailsScheduled backups of local disks saved to remote network shares saves login credentials, for the remote share, into the application directory with read access set for everyone.

A buffer overflow exists that can cause a denial of service or possibly allow local users to run code with System level privileges.

Mitigation

Symantec ResponseSymantec has released updates for all affected product version currently supported by Symantec. These updates are available through LiveUpdate.

To date, Symantec is not aware of any reported attempts to exploit this vulnerability.

Acknowledgements

Symantec would like to thank Pravus for reporting this issue to iDefense Labs. Symantec would like to thank iDefense Labs for reporting these issues to Symantec, and working with us on the resolution

References

Additional Data

Legacy ID: SYM07-004

Owner: James Terrill

Created: 26-APR-07 12.00.00.000000000 AM

Modified: 26-APR-07 12.00.00.000000000 AM

Classification: Norton

DetailsSymantec was notified by iDefense that a design error in NAVOPTS.DLL, an ActiveX control used by Norton AntiVirus, could potentially allow an attacker to crash the control if the end user visits a malicious web site. A successful exploit of NAVOPTS.DLL could then allow the attacker to access other Symantec ActiveX controls, even if they are not marked safe for scripting, possibly leading to remote arbitrary code execution in the context of the user's browser.

This issue is a candidate for inclusion in the Common Vulnerabilities and Exposures (CVE) list (http://cve.mitre.org), which standardizes names for security problems. The CVE initiative has assigned CVE-2006-3456 to this issue

Mitigation

Symantec ResponseSymantec product engineers have determined that the issue affects the Norton consumer products listed in the table above. Product updates to correct the problem are available through LiveUpdate.

This vulnerability can only be exploited if an attacker entices the user to visit a malicious website. This type of attack is most commonly achieved through sending email containing a link to the malicious site, and persuading the recipient to click on the link.

Norton product users who normally run manual LiveUpdate should already have this update. However, to ensure all available updates have been properly installed, run manual LiveUpdate as follows:

• Open any installed Norton product
• Click LiveUpdate
• Run LiveUpdate until all available product updates are downloaded and installed
• A system reboot may be required, depending on the existing patch level of the affected product.

Symantec is not aware of any customers impacted by this issue, or of any attempts to exploit the issue.

Symantec's enterprise products do not use NAVOPTS.DLL, and therefore they are not affected by this vulnerability.

Best PracticesAs part of normal best practices, Symantec strongly recommends a multi-layered approach to security:

• Run under the principle of least privilege where possible.
• Keep all operating systems and applications updated with the latest vendor patches.
• Run both a personal firewall and antivirus application with current updates to provide multiple points of detection and protection to both inbound and outbound threats.
• Be cautious when receiving attachments, executables, and web links through email. Do not open email from unknown senders.
• Email addresses can easily be spoofed so that a message appears to come from someone you know. If in doubt, contact the sender to confirm they sent it before opening attachments or following web links.

Acknowledgements

Symantec would like to acknowledge Peter Vreugdenhil, working with the iDefense Vulnerability Contributor Program (http://www.idefense.com), for reporting this issue and coordinating with us on the response

References

Additional Data

Legacy ID: SYM07-005

Owner: James Terrill

Created: 09-MAY-07 12.00.00.000000000 AM

Modified: 09-MAY-07 12.00.00.000000000 AM

Classification: Norton

DetailsCERT notified Symantec that a buffer overflow exists in an ActiveX Control used by Norton Personal Firewall. The error occurs in the Get() and Set() functions used by ISAlertDataCOM, which is part of ISLALERT.DLL. A successful exploit of this vulnerability could potentially allow the remote execution of code on a vulnerable system, with the rights of the logged-in user.

This issue is a candidate for inclusion in the Common Vulnerabilities and Exposures (CVE) list (http://cve.mitre.org), which standardizes names for security problems. The CVE initiative has assigned CVE-2007-1689 to this issue

Mitigation

Symantec ResponseSymantec product engineers have determined that the issue affects Norton Personal Firewall and Norton Internet Security 2004 only. Product updates to correct the problem are available through LiveUpdate.

To successfully exploit this vulnerability, an attacker would need to entice the user to view a specially crafted HTML document. This type of attack is often achieved by sending email containing a link to the malicious site, and persuading the recipient to click on the link.

Symantec is not aware of any customers impacted by this issue, or of any attempts to exploit the issue.

As a part of normal best practices, users should keep vendor-supplied patches for all application software and operating systems up-to-date. Symantec recommends any affected customers update their product immediately to protect against potential attempts to exploit this vulnerability.

How to obtain the updateNorton Internet Security and Norton Personal firewall 2004 users who normally run manual LiveUpdate to obtain product updates can also obtain this update through the same process. Run manual LiveUpdate as follows:

• Open any installed Norton product
• Click LiveUpdate
• Run LiveUpdate

If you have not previously installed all available product updates, you will need to obtain those updates first. You will need to modify your LiveUpdate settings to connect to the archive LiveUpdate server to obtain the previous product updates.

Please see this Knowledgebase article for information:

How to obtain the programs updates that are archived on Symantec LiveUpdate server
http://service1.symantec.com/SUPPORT/sharedtech.nsf/docid/2007010219171513

After you have downloaded and installed all available updates from the archive server, you will be able to download the update for this vulnerability.

MitigationSymantec has released IPS signatures for the Symantec products listed below, to detect attempts to exploit this vulnerability.

Best PracticesAs part of normal best practices, Symantec strongly recommends a multi-layered approach to security:

• Run under the principle of least privilege.
• Keep operating systems and applications updated with the latest vendor patches.
• Run both a personal firewall and antivirus application with current updates to provide multiple points of detection and protection.
• Be cautious when receiving attachments, executables, and web links through email. Do not open email from unknown senders.
• Email addresses can easily be spoofed so that a message appears to come from someone you know. If in doubt, contact the sender to confirm they sent it before opening attachments or following web links.

Acknowledgements

Symantec would like to thank Will Dormann of the CERT Coordination Center (http://www.cert.org/certcc.html) for reporting this issue and coordinating with us on the response.

References

Additional Data

Legacy ID: SYM07-007

Owner: James Terrill

Created: 16-MAY-07 12.00.00.000000000 AM

Modified: 16-MAY-07 12.00.00.000000000 AM

Classification: Norton

DetailsSymantec was notified that two ActiveX controls supplied by NAVCOMUI.DLL contain an input validation error for two properties of the controls. This error could allow an attacker to crash Internet Explorer, or possibly run arbitrary code with the rights of the logged in user.

The Common Vulnerabilities and Exposures (CVE) initiative has assigned CVE Candidate CVE-2007-2955 to this issue.
This issue is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.

SecurityFocus (http://www.securityfocus.com) has assigned Bugtraq ID (BID) 24983 to this issue.

Mitigation

Symantec responseSymantec engineers have confirmed that the vulnerability in the products listed in the Affected Products table above. Updates for affected products are available through LiveUpdate.

No versions of Symantec AntiVirus Corporate Edition or Symantec Client Security are affected by this vulnerability.

To successfully exploit this vulnerability, an attacker would need to entice the user to view a specially crafted HTML document. This type of attack is often achieved by sending email containing a link to the malicious site, and persuading the recipient to click on the link.

Symantec is not aware of any customers impacted by this issue, or of any attempts to exploit the issue.

MitigationSymantec Security Response has released Bloodhound.Exploit.148 to detect and block attempts to exploit this vulnerability. This detection is available in virus definitions dated 08-09-2007 and later.

In addition, Symantec has released an IPS signature to detect and block attempts to exploit this vulnerability. The signature, HTTP Symantec NAV NavComUI ActiveX BO, is available in signatures dated 08-09-2007 and later.

Virus definitions and IPS signatures are both available through LiveUpdate

How to Obtain the UpdateSymantec Norton product users who regularly launch and run LiveUpdate should already have received an updated (non-vulnerable) version of NAVCOMUI.DLL.
However, to ensure all available updates have been applied, users can manually launch and run LiveUpdate in Interactive mode as follows:

• Open any installed Norton product
• Click on LiveUpdate in the GUI
• Run LiveUpdate until all available product updates are downloaded and installed

Best PracticesSymantec recommends any affected customers update their product immediately to protect against potential attempts to exploit this vulnerability. As part of normal best practices, Symantec recommends the following:

• Run under the principle of least privilege to limit the impact of exploits.
• Keep all operating systems and applications updated with the latest vendor patches.
• Follow a multi-layered approach to security. Run both firewall and antivirus software to provide multiple points of detection and protection from inbound and outbound threats.
• Keep anti-virus definitions and IPS (firewall) signatures up to date.

Acknowledgements

Symantec would like to thank Carsten Eiram, Secunia Research for reporting this issue and coordinating with us on the response

References

Additional Data

Legacy ID: SYM07-021

Owner: James Terrill

Created: 09-AUG-07 12.00.00.000000000 AM

Modified: 09-AUG-07 12.00.00.000000000 AM

Classification: Norton

DetailsAn executable used by the Mount Scan feature of Symantec AntiVirus for Macintosh and Norton AntiVirus for Macintosh runs with root access. A member of group admin could replace this executable with code of their choice, and gain user root access.

The folder /Library/Application Support has group ownership admin (gid 80). The folder is also group-writable, so programs launched by users with admin privileges can rename folders with /Library/Application Support without explicitly alerting the user. This could potentially be used to spoof the Disk Mount scanner into launching an arbitrary executable when a disk is inserted.

This issue is a candidate for inclusion in the Common Vulnerabilities and Exposures (CVE) list (http://cve.mitre.org), which standardizes names for security problems. CVE-2007-5829 has been assigned to this exposure.

SecurityFocus has assigned BID 26253 to this vulnerability.

Mitigation

Symantec ResponseSymantec engineers have verified that this issue exists in the products listed above. However, any potential attempt to exploit the issue will fail if Mount Scanning is disabled, or if Mount Scanning is configured to run without showing progress.

Symantec is not aware of any customers impacted by this issue, or of any attempts to exploit the issue.

Symantec has released updated, non-vulnerable versions of the products impacted by this vulnerability.

Customers who have not updated to a non-vulnerable version can download and apply a kernel extension which will prevent Symantec folders from being renamed or deleted by a user who does not already have root privilege. For additional information on this option, please see the following knowledgebase articles:

Norton Antivirus for Macintosh users:http://service1.symantec.com/SUPPORT/num.nsf/docid/2008022610250611

Symantec AntiVirus for Macintosh users:http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008021511052348

MitigationCustomers who have not updated to a non-vulnerable version or applied the application extension have the following options:
Disable "Show Progress During Mount Scans" in the Mount Scan tab of Auto-Protect System preferences.

An alternative mitigation is to set the sticky bit on the folder /Library/Application Support. The sticky bit may become unset if Apple’s Disk Utility is used at some later time to repair permissions on the drive. The sticky bit may be set by issuing the following command in a terminal window (note the quotes), and entering an admin password at the resulting prompt:

sudo /bin/chmod +t "Library/Application Support"

Best PracticesSymantec recommends any affected customers apply one of the mitigation steps to protect against potential attempts to exploit this issue. As part of normal best practices, Symantec recommends the following:

• Run under the principle of least privilege to limit the impact of potential exploits.
• Restrict access to computer systems to trusted users only.
• Keep all operating systems and applications updated with the latest vendor patches.
• Follow a multi-layered approach to security. Run both firewall and antivirus software to provide multiple points of detection and protection from inbound and outbound threats.

Acknowledgements

Symantec would like to thank William Carrel for reporting this issue.

References

Additional Data

Legacy ID: SYM07-028

Owner: James Terrill

Created: 01-NOV-07 12.00.00.000000000 AM

Modified: 01-NOV-07 12.00.00.000000000 AM

Classification: Norton

Details

IDefense notified Symantec of two vulnerabilities in an ActiveX control (SYMADATA.DLL) used to troubleshoot Symantec consumer products.

The first vulnerability, reported by Peter Vreugdenhill, is a stack based buffer overflow which could allow a successful attacker to run code of their choice in the context of the user’s browser. The user must be enticed to visit a malicious website masquerading as a trusted Symantec site before an attack can be launched.

The second vulnerability occurs due to a design error in the process used to look for and launch the AutoFix Tool. If successfully exploited, an attacker could load and execute code of their choice from a remote share. However, this can occur only if the target system (user’s system) is configured to allow access to remote shares via WebDav or SMB.

These issues are candidates for inclusion in the Common Vulnerabilities and Exposures (CVE) list (http://cve.mitre.org), which standardizes names for security problems. CVE has assigned CVE-2008-0312 to the buffer overflow, and CVE-2008-0313 to the launch process design error.

SecurityFocus, http://www.securityfocus.com, has assigned BID 28507 to the buffer overflow reported by Peter Vreugdenhill, and BID28509 to the launch process design error reported by an anonymous finder.

Mitigation

Acknowledgements

Symantec would like to thank Peter Vreugdenhill and an anonymous finder, working with the IDefense VCP (http://labs.idefense.com/vcp/) for reporting these issues, and coordinating with us on the response.

References

Additional Data

Legacy ID: SYM08-009

Owner: James Terrill

Created: 02-APR-08 12.00.00.000000000 AM

Modified: 02-APR-08 12.00.00.000000000 AM

Classification: Norton

Risk Impact

Low

Mitigation

Details

Next Generation Security Software notified Symantec that a specially crafted email could potentially create a Denial of Service (DoS) condition on an end user system. The malicious message would require a significantly longer than normal time to process, which could cause the client system to lose connection with the mail server. The email client will try to download the message again the next time it connects to the mail server, and again lose connection. This cycle would be repeated until the malicious message was deleted from the mail server.

Symantec Response

Symantec has confirmed that this issue exists in the products listed in the Affected Products table above. The vulnerability can be exploited only if the optional Internet Email Scanning feature is enabled on the user’s system. 

Symantec is not aware of any customers impacted by this issue, or of any attempts to exploit the issue.

Mitigation

Internet Email Scanning is an optional feature which can disabled if it is not being used. Disabling this feature prevents it from being exploited through this vulnerability.

Updating Norton products

Norton product users who launch and run LiveUpdate regularly have already received an update to address this issue. However, to ensure all available updates have been applied, users can manually launch and run LiveUpdate in interactive mode as follows: 

• Open any installed Norton product
• Click LiveUpdate
• Run LiveUpdate until all available product updates are downloaded and installed
• A reboot may be required, depending on the existing patch level of the affected computer.

Best Practices

As part of normal best practices, Symantec strongly recommends a multi-layered approach to security: 

• Run under the principle of least privile

Acknowledgements

Symantec thanks Mark Litchfield from Next Generation Security Software (http://www.ngssoftware.com/) for reporting this issue, and coordinating with us on the response.

References

SecurityFocus, http://www.securityfocus.com, has assigned BID 34670 to this issue 

This issues is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. The CVE-ID, CVE-2009-3104 has been assigned for this issue.

Additional Data

Legacy ID: SYM09-012

Owner: James Terrill

Created: 26-AUG-09 12.00.00.000000000 AM

Modified: 26-AUG-09 12.00.00.000000000 AM

Classification: Norton

Severity

Medium 

Mitigation

Details

Android system logs where Norton Mobile Security Beta sensitive information is stored. Some applications downloaded to an Android Smartphone may be able to gain unnecessary and/or unauthorized read/write access permission to device logs without the consent or knowledge of the device owner. 

An individual could potentially create a malicious application that can gain unauthorized access to sensitive Norton Mobile Security Beta information stored on device system logs. An attacker would have to effectively entice the user to download the hostile app by visiting a malicious web site or by clicking on a malicious URL. The user would need to authorize the permissions required and requested by the app in most instances though the app may be able to circumvent actual user authorization is some instances. 

Such an attack could potentially expose application setup information to possibly include the wipe/lock credentials the user established for the Norton Mobile Security Beta application. This could possibly result in a malicious user being able to be able to deny the user access to the phone or potentially manipulate personal data stored on the phone via specifically formatted messages.

Symantec Response

Symantec product engineers have developed and released a solution. Symantec Mobile Security Beta for Android users should updated to the latest release available through normal update procedures.

Symantec knows of no exploitation of or adverse customer impact from this issue.

Best Practices

As part of normal best practices, Symantec strongly recommends: 

• Keep Smartphone operating systems and applications updated with the latest vendor patches
• Run an anti-malware application to provide detection and protection to both inbound and outbound threats
• Users should be cautious of unknown applications or applications from sites they are not familiar with or of questionable reputation
• Be wary of attachments and executables delivered via email or IM and be cautious of browsing unknown/untrusted websites or clicking on unknown/untrusted URL links
• Be aware of and understand the impact of permissions being requested by the app being download before granting access

Acknowledgements

Symantec thanks Tim Wyatt with Lookout Mobile Security for reporting their finding and coordinating closely with Symantec in resolving the issue.

References

Security Focus, http://www.securityfocus.com, has assigned a Bugtraq ID (BID) 44767 to this issue for inclusion in the Security Focus vulnerability database. 

This issue is a candidate for inclusion in the Common Vulnerabilities and Exposures (CVE) list (http://cve.mitre.org). The CVE initiative has assigned CVE-2010-0113 to this issue.

Additional Data

Legacy ID: SYM10-011

Owner: James Terrill

Created: 11-NOV-10 12.00.00.000000000 AM

Modified: 11-NOV-10 12.00.00.000000000 AM

Classification: Norton

Medium

CVSS2 Base Score: 4.4

Impact 6.9, Exploitability 2.7

CVSS2 Vector:  (AV:L/AC:M/Au:S/C:N/I:N/A:C)

Exploit Publicly Available:  Yes

Mitigation

Details

Symantec is aware of a local denial of service as a result of the Gear Software CD DVD filter driver GEARAspiWDM.sys improper validation of external input. The Gear Software driver ships with Symantec products identified in the affected products table above. Successful exploitation would require local authorized access to the targeted system or interaction with an authorized local user to upload and run malicious code on their system.

Symantec Response

Symantec engineers confirmed the issue existing in the Gear Software driver version shipped with the listed products.  Gear Software released a driver update to address this issue. Symantec recommends all affected product customers download and apply the update identified above to prevent threats of this nature.

Symantec is not aware of any exploitation of, or adverse customer impact from this issue.

Obtaining the Update

Norton 360 and Symantec System Recovery customers running LiveUpdate in automatic mode have already received an updated version of the affected driver. However, to ensure all available updates have been applied, users can run a manual (interactive) LiveUpdate as follows:

• Open any installed Norton 360 or Symantec System Recovery product
• Run LiveUpdate until all available product updates are downloaded and installed

Customers running other impacted products should upgrade to the recommended product version indicated in the Affected Products table or download and apply the latest Gear driver from Gear Software’s web site:

• From a browser window, navigate to the Gear Software Driver update page or following this link:http://www.gearsoftware.com/support/drivers.cfm
• Click the Driver Installer link (for 32 0r 64-bit systems)
• At the prompt, click “Run” to install the update directly or “Save” to download the update package to your system where the driver can then be installed.

Backup Exec System Recovery 201

Acknowledgements

References

Security Focus, http://www.securityfocus.com, has assigned Bugtraq ID (BID) 47822 to this issue in the Security Focus vulnerability database.

CVE: This issue is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. CVE-2011-3477 has been assigned to this issue.

Additional Data

Legacy ID: SYM11-014

Owner: James Terrill

Created: 09-NOV-11 12.00.00.000000000 AM

Modified: 09-NOV-11 12.00.00.000000000 AM

Classification: Norton

Mitigation

Acknowledgements

• Anonymous submitter (CVE-2016-6585, CVE-2016-6586, CVE-2016-6587)

References

Additional Data

Legacy ID: SYM16-019

Owner: James Terrill

Created: 01-NOV-16 12.00.00.000000000 AM

Modified: 01-NOV-16 12.00.00.000000000 AM

Classification: Norton

Mitigation

Norton App Lock for Android has been updated to fix this issue. Customers will either be notified that their product has been auto-updated or will be notified that an update is available for them to install, depending on configuration

Acknowledgements

• Samuel Siino (CVE-2016-6591)

References

Additional Data

Legacy ID: SYM16-022

Owner: James Terrill

Created: 30-NOV-16 12.00.00.000000000 AM

Modified: 30-NOV-16 12.00.00.000000000 AM

Classification: Norton

Mitigation

Norton Download Manager is not updated though Liveupdate. Customers first download Norton Download Manager during the initial install of a Norton security product and it is normally a run-once application to manage the download and install of the selected Norton product. There is some potential that users may need to run a previously downloaded version of Norton Download Manager in the following scenarios:

• Norton Download Manager has not been run since it was initially downloaded from the Norton portal
• Norton Download Manager failed to download the full product installer
• The full product installer itself failed during installation

The upgrade solution for impacted customers is to:

• Delete any previously downloaded version of Norton Download Manager, version 5.6 or earlier
• Download the updated version of Norton Download Manager currently posted to the Norton portal that is associated with their Norton security product

Customers and users who want to download a trial version of a Norton security or Norton Family product can visit the Norton website. Once there, navigate to PRODUCT & SERVICES and select Free Trials.

Customers who want to download a licensed Norton security or Norton Family product can log into their Norton account and click on Download.

*Affected Norton Family Products

• Norton Family
• Norton AntiVirus
• Norton AntiVirus Basic
• Norton Internet Security
• Norton 360
• Norton 360 Premier
• Norton Security
• Norton Security with Backup
• Norton Security Standard
• Norton Security Deluxe
• Norton Security Premium
• Symantec Endpoint Protection Cloud

Best Practices

Symantec recommends the following measures to reduce the

Acknowledgements

• Sachin M. Wagh, aka tiger_tigerboy (CVE-2016-6592)
• Praveen Singh (CVE-2016-6592)
• Takashi Yoshikawa, Mitsui Bussan Secure Directions working with JP CERT (CVE-2016-6592)

References

Additional Data

Legacy ID: SYM17-001

Owner: James Terrill

Created: 17-JAN-17 12.00.00.000000000 AM

Modified: 17-JAN-17 12.00.00.000000000 AM

Classification: Norton

Mitigation

This issue was validated by the product team engineers. A Norton Remove & Reinstall update, version 4.4.0.58, has been released which addresses the aforementioned vulnerability. Note that Norton Remove & Reinstall’s latest release and patches are available to customers through normal support channels or can be downloaded directly from the following URL:

https://norton.com/rnr

To determine if your version of Norton Remove & Reinstall is susceptible to this vulnerability, please perform the following actions:

• Open the File properties for NRnR.exe, click on the ‘Details’ tab
• View the ‘File Version’ entry
• Upgrade to the patched version as needed depending on existing file version (note that file versions older than 4.4.0.58 are susceptible to this vulnerability)

At this time, Symantec is not aware of any exploitations or adverse customer impact from these issues.

Best Practices

Symantec recommends the following measures to reduce risk of attack:

• Restrict access to administrative or management systems to authorized privileged users.
• Restrict remote access to trusted/authorized systems only.
• Run under the principle of least privilege, where possible, to limit the impact of potential exploit.
• Keep all operating systems and applications current with vendor patches.
• Follow a multi-layered approach to security. At a minimum, run both firewall and anti-malware applications to provide multiple points of detection and protection for both inbound and outbound threats.
• Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in the detection of attacks or malicious activity related to the exploitation of latent vulnerabilities.

Acknowledgements

• Kushal Arvind Shah of Fortinet's FortiGuard Labs: kshah@fortinet.com (CVE-2017-13676)

References

Additional Data

Legacy ID: SYM17-009

Owner: James Terrill

Created: 26-SEP-17 12.00.00.000000000 AM

Modified: 26-SEP-17 12.00.00.000000000 AM

Classification: Norton

Mitigation

This issue was validated by the product team engineers. An Install Norton Security (INS) update, version 7.6, has been released which addresses the aforementioned issue. To apply the fix, please uninstall the previous version of Install Norton Security and then download and install the updated version. Note that you can access the updated Install Norton Security at the following URL:

https://my.norton.com

At this time, Symantec is not aware of any exploitations or adverse customer impact from these issues.

BEST PRACTICES

Symantec recommends the following measures to reduce risk of attack:

• Restrict access to administrative or management systems to authorized privileged users.
• Restrict remote access to trusted/authorized systems only.
• Run under the principle of least privilege, where possible, to limit the impact of potential exploit.
• Keep all operating systems and applications current with vendor patches.
• Follow a multi-layered approach to security. At a minimum, run both firewall and anti-malware applications to provide multiple points of detection and protection to both inbound and outbound threats.
• Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in the detection of attacks or malicious activity related to the exploitation of latent vulnerabilities.

Acknowledgements

• CERT Coordination Center <cert@cert.org> (CVE-2017-15528)

References

Additional Data

Legacy ID: SYM17-014

Owner: James Terrill

Created: 21-NOV-17 12.00.00.000000000 AM

Modified: 21-NOV-17 12.00.00.000000000 AM

Classification: Norton

Mitigation

These issues were validated by the product team engineers. A Norton Family Android App update, version 4.4.1.10, has been released which address the aforementioned issues. Note that the latest Symantec Norton Family Android App release and patches are available to customers through the Google Play Store. At this time, Symantec is not aware of any exploitations or adverse customer impact from these issues.

BEST PRACTICES

Symantec recommends the following measures to reduce risk of attack:

• Restrict access to administrative or management systems to authorized privileged users.
• Restrict remote access to trusted/authorized systems only.
• Run under the principle of least privilege, where possible, to limit the impact of potential exploit.
• Keep all operating systems and applications current with vendor patches.
• Follow a multi-layered approach to security. At a minimum, run both firewall and anti-malware applications to provide multiple points of detection and protection to both inbound and outbound threats.
• Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in the detection of attacks or malicious activity related to the exploitation of latent vulnerabilities.

Acknowledgements

• Kai Kunschke <Kai.Kunschke@cirosec.de> (CVE-2017-15529)
• Kai Kunschke <Kai.Kunschke@cirosec.de> (CVE-2017-15530)

References

Additional Data

Legacy ID: SYM17-015

Owner: James Terrill

Created: 13-DEC-17 12.00.00.000000000 AM

Modified: 13-DEC-17 12.00.00.000000000 AM

Classification: Norton

Mitigation

The issue was validated by the product team engineers. A Norton App Lock update, version 1.3.0.13, has been released which addresses the aforementioned issue. Note that the latest Symantec Norton App Lock release and patches are available to customers through the Google Play Store. At this time, Symantec is not aware of any exploitations or adverse customer impact from these issues.

Additional note: The Norton App Lock version 1.3.0.13 is fully vetted and functional on tested devices including Android OS on Samsung, Redmi, and Xiomi. However, the fix is not functional on the Lenovo K3 device due to an inherent issue in the device itself. Symantec has opened a support case for this issue and it has been confirmed from Lenovo that they are not going to provide any fix for this issue due to the age of the device. The support case can be referenced via the following link:

https://forums.lenovo.com/t5/K-and-Vibe-Z-Series-Smartphones/Lenovo-K3-Note-applocker-issue/m-p/3925583/highlight/true#M54206

Symantec has confirmed that this particular issue does not affect the latest Lenovo devices.

BEST PRACTICES

Symantec recommends the following measures to reduce risk of attack:

• Restrict access to administrative or management systems to authorized privileged users.
• Restrict remote access to trusted/authorized systems only.
• Run under the principle of least privilege, where possible, to limit the impact of potential exploit.
• Keep all operating systems and applications current with vendor patches.
• Follow a multi-layered approach to security. At a minimum, run both firewall and anti-malware applications to provide multiple points of detection and protection to both inbound and outbound threats.
• Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in the detection of attacks or malicious activity related to the exploitation of latent vulnerabilities.

Acknowledgements

• Zaid Shaikh <shaikhzaid901@gmail.com> (CVE-2017-15534)

References

Additional Data

Legacy ID: SYM18-001

Owner: James Terrill

Created: 26-MAR-18 12.00.00.000000000 AM

Modified: 26-MAR-18 12.00.00.000000000 AM

Classification: Norton

Mitigation

The issue was validated by the product team engineers. A Norton Core update, v237, has been released which addresses the aforementioned issue. Note that Norton Core updates are received to devices automatically via firmware updates to the router. At this time, Symantec is not aware of any exploitations or adverse customer impact from these issues.

BEST PRACTICES

Symantec recommends the following measures to reduce risk of attack:

• To ensure that Norton Core stays up to date, keep it powered on and connected to the internet
• Maintain an active Norton subscription
• Enable Multi-Factor Authentication (MFA) on the Norton Account associated with Norton Core
• Ensure that the Norton Core app on your mobile device is up-to-date
• Use strong WiFi passwords
• Use recommended strong encryption options for the WiFi network, such as WPA-2 (AES)
• Use recommended DNS services, such as those offered by DNSSEC DNS providers
• Limit or avoid the use of UPnP from Norton Core
• Limit or avoid the use of Port Forwarding from Norton Core
• Limit or avoid the use of daisy-chained routers with Norton Core
• Avoid risky web behavior, such as visiting or downloading software from untrusted websites
• Use security software such as Norton Security on all devices that support it

Acknowledgements

• Alexander Rumyantsev (a.rumyantsev@embedi.com) from Embedi (CVE-2018-5234)

References

Additional Data

Legacy ID:

Owner: Thomas Tsongas

Created: 30-APR-18 12.00.00.000000000 AM

Modified: 30-APR-18 12.00.00.000000000 AM

Classification: Norton

Mitigation

The issue was validated by the product team engineers. A Norton App Lock update, version 1.3.0.329, has been released which addresses the aforementioned issue. Note that the latest Symantec Norton App Lock release and patches are available to customers through the Google Play Store. At this time, Symantec is not aware of any exploitations or adverse customer impact from this issue.

Symantec recommends the following measures to reduce risk of attack:

• Restrict access to administrative or management systems to authorized privileged users.
• Restrict remote access to trusted/authorized systems only.
• Run under the principle of least privilege, where possible, to limit the impact of potential exploit.
• Keep all operating systems and applications current with vendor patches.
• Follow a multi-layered approach to security. At a minimum, run both firewall and anti-malware applications to provide multiple points of detection and protection to both inbound and outbound threats.
• Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in the detection of attacks or malicious activity related to the exploitation of latent vulnerabilities.

Acknowledgements

• CVE-2018-5242: Luigi Gubello <luigi.gubello@protonmail.com>

References

Additional Data

Legacy ID:

Owner: Thomas Tsongas

Created: 07-JUN-18 12.00.40.000000000 PM

Modified: 13-JUN-18 08.01.11.000000000 AM

Classification: Norton

Mitigation

The issue was validated by the product team engineers. A Norton App Lock update, version 1.3.0.332, has been released which addresses the aforementioned issue. Note that the latest Symantec Norton App Lock release and patches are available to customers through the Google Play Store. At this time, Symantec is not aware of any exploitations or adverse customer impact from this issue.

Symantec recommends the following measures to reduce risk of attack:

• Restrict access to administrative or management systems to authorized privileged users.
• Restrict remote access to trusted/authorized systems only.
• Run under the principle of least privilege, where possible, to limit the impact of potential exploit.
• Keep all operating systems and applications current with vendor patches.
• Follow a multi-layered approach to security. At a minimum, run both firewall and anti-malware applications to provide multiple points of detection and protection from both inbound and outbound threats.
• Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in the detection of attacks or malicious activity related to the exploitation of latent vulnerabilities.

Acknowledgements

• CVE-2018-5239:  Suyog Palav <https://www.linkedin.com/in/suyog-palav>  & Nikhil Mahadeshwar <webmaster.nikhilm@gmail.com>

References

Additional Data

Legacy ID:

Owner: Thomas Tsongas

Created: 10-JUL-18 05.44.26.000000000 AM

Modified: 19-JUL-18 12.10.08.000000000 PM

Classification: Norton

Mitigation

These issues were validated by product team engineers. A set of updates, Norton Utilities 16.0.3.44, Norton Power Eraser 5.3.0.24, and SymDiag 2.1.242, have been released which address the aforementioned issues. The latest releases and patches are available to customers through normal support channels or can be downloaded directly from the Norton.com website for Norton Utilities and Norton Power Eraser; for SymDiag, they can be downloaded by following the instructions in the following technote:

https://support.symantec.com/en_US/article.TECH170752.html

**Note: The latest updates addressing these issues apply to Windows versions 8 and higher. For users running Windows 7, the listed issues may still manifest and as such, users are encouraged to update their operating systems to a more recent version. These issues are actually common in the Windows operating system and the product teams have taken steps to circumvent these particular security flaws. For additional information on this particular Windows vulnerability, please access the following link from the MSFT support website:

https://support.microsoft.com/en-us/help/2533623/microsoft-security-advisory-insecure-library-loading-could-allow-remot

At this time, Symantec is not aware of any exploitations or adverse customer impact from these issues.

Symantec recommends the following measures to reduce risk of attack:

• Restrict access to administrative or management systems to authorized privileged users.
• Restrict remote access to trusted/authorized systems only.
• Run under the principle of least privilege, where possible, to limit the impact of potential exploit.
• Keep all operating systems and applications current with vendor patches.
• Follow a multi-layered approach to security. At a minimum, run both firewall and anti-malware applications to provide multiple points of detection and protection for both inbound and outbound threats.
• Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in the detection of attacks or malicious activity related to the exploitation of latent vulnerabilities.

Acknowledgements

• CVE-2018-5235 Kushal Arvind Shah of Fortinet's FortiGuard Labs: kshah@fortinet.com
• CVE-2018-5238 Kushal Arvind Shah of Fortinet's FortiGuard Labs: kshah@fortinet.com

References

Additional Data

Legacy ID:

Owner: Thomas Tsongas

Created: 15-AUG-18 02.01.40.000000000 PM

Modified: 30-AUG-18 12.00.48.000000000 PM

Classification: Norton

Mitigation

This issue was validated by product team engineers. A Norton Identity Safe for Android update, version 5.3.0.976, has been released which addresses the aforementioned issue. The latest releases and patches are available to customers through normal support channels or can be updated directly from the Google Play store. At this time, Symantec is not aware of any exploitations or adverse customer impact from this issue.

Symantec recommends the following measures to reduce risk of attack:

• Restrict access to administrative or management systems to authorized privileged users.
• Restrict remote access to trusted/authorized systems only.
• Run under the principle of least privilege, where possible, to limit the impact of potential exploit.
• Keep all operating systems and applications current with vendor patches.
• Follow a multi-layered approach to security. At a minimum, run both firewall and anti-malware applications to provide multiple points of detection and protection for both inbound and outbound threats.
• Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in the detection of attacks or malicious activity related to the exploitation of latent vulnerabilities.

Acknowledgements

• CVE-2018-12240: Eric Bodden @profbodden <eric.bodden@uni-paderborn.de>, Stefan Krüger <stefan.krueger@uni-paderborn.de>, Johannes Späth <johannes.spaeth@iem.fraunhofer.de>, Karim Ali <karim.ali@ualberta.ca>, Mira Mezini <mezini@cs.tu-darmstadt.de>

References

Additional Data

Legacy ID:

Owner: Thomas Tsongas

Created: 22-AUG-18 12.15.13.000000000 PM

Modified: 29-AUG-18 10.43.04.000000000 AM

Classification: Norton

Mitigation

The issue was validated by the product team engineers. A Norton Password Manager for Android (formerly Norton Identity Safe) update, version 6.1.0.1045, has been released which addresses the aforementioned issue. Note that the latest Norton Password Manager for Android release and patches are available to customers through the Google Play Store. At this time, Symantec is not aware of any exploitations or adverse customer impact from this issue.

Symantec recommends the following measures to reduce risk of attack:

• Restrict access to administrative or management systems to authorized privileged users.
• Restrict remote access to trusted/authorized systems only.
• Run under the principle of least privilege, where possible, to limit the impact of potential exploit.
• Keep all operating systems and applications current with vendor patches.
• Follow a multi-layered approach to security. At a minimum, run both firewall and anti-malware applications to provide multiple points of detection and protection for both inbound and outbound threats.
• Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in the detection of attacks or malicious activity related to the exploitation of latent vulnerabilities.

Acknowledgements

• CVE-2018-18362: Luigi Gubello <luigi.gubello@protonmail.com>

References

Additional Data

Legacy ID:

Owner: Thomas Tsongas

Created: 30-NOV-18 06.40.33.000000000 AM

Modified: 06-DEC-18 06.00.27.000000000 AM

Classification: Norton

Mitigation

The issue was validated by the product team engineers. A Norton App Lock update, version 1.4.0.445, has been released which addresses the aforementioned issue. Note that the latest Symantec Norton App Lock release and patches are available to customers through the Google Play Store. At this time, Symantec is not aware of any exploitations or adverse customer impact from this issue.

Symantec recommends the following measures to reduce risk of attack:

• Restrict access to administrative or management systems to authorized privileged users.
• Restrict remote access to trusted/authorized systems only.
• Run under the principle of least privilege, where possible, to limit the impact of potential exploit.
• Keep all operating systems and applications current with vendor patches.
• Follow a multi-layered approach to security. At a minimum, run both firewall and anti-malware applications to provide multiple points of detection and protection for both inbound and outbound threats.
• Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in the detection of attacks or malicious activity related to the exploitation of latent vulnerabilities.

Acknowledgements

CVE-2018-18363: Naomi Tesla

References

Additional Data

Legacy ID:

Owner: Thomas Tsongas

Created: 04-JAN-19 06.21.54.000000000 AM

Modified: 09-JAN-19 06.00.22.000000000 AM

Classification: Norton

Mitigation

This issue has been validated by Symantec. Updates for Norton Password Manager, versions 6.2.0.1078 (Android) and 6.2.309 (iOS), have been released to address this issue. Note that the latest Norton Password Manager release are available to customers through the Google Play Store and the Apple App Store. Symantec is not aware of any exploitations or adverse customer impact from this issue.

Symantec recommends the following measures to reduce risk of attack:

• Keep all operating systems and applications current with vendor patches.
• Follow a multi-layered approach to security. At a minimum, run both firewall and anti-malware applications to provide multiple points of detection and protection for both inbound and outbound threats.
• Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in the detection of attacks or malicious activity related to the exploitation of latent vulnerabilities.

Acknowledgements

• CVE-2018-18365: YoKo Kho <@yokoacc / yk@firstsight.me>

References

Additional Data

Legacy ID:

Owner: Thomas Tsongas

Created: 07-FEB-19 10.59.22.000000000 AM

Modified: 14-FEB-19 06.00.36.000000000 AM

Classification: Norton

Mitigation

The issue was validated by the product team engineers. A Norton Core update, v278, has been released which addresses the aforementioned issue. Note that Norton Core updates are received to devices automatically via firmware updates to the router. At this time, Symantec is not aware of any exploitations or adverse customer impact from these issues.

Symantec recommends the following measures to reduce risk of attack: 

• To ensure that Norton Core stays up to date, keep it powered on and connected to the internet

Acknowledgements

-CVE-2019-9695: Moshe Wagner <moshe.wagner@gmail.com>

References

Additional Data

Legacy ID:

Owner: Thomas Tsongas

Created: 19-MAR-19 11.23.38.000000000 AM

Modified: 10-APR-19 07.23.45.000000000 AM

Classification: Norton

Mitigation

The aforementioned issues were validated by product team engineers. A set of product security updates to mitigate the listed issues are as follows:

• Norton Security for Windows version 22.16.3 (or higher)
  • **Note for Window 7 users: please apply SP1 or higher
• Symantec Endpoint Protection (SEP) version 14.2 RU1
  • ​In addition, a refresh of 14.2 MP1 (14.2.1057.0103) was released on August 21st, 2019 to address this issue. This is available upon request from Symantec Technical Support
• Symantec Endpoint Protection Manager (SEPM) version 14.2 RU1
• Symantec Endpoint Protection Small Business Edition (SEP SBE) versions Cloud Agent 3.00.31.2817, NIS-22.15.2.22 & SEP-12.1.7484.7002
• Symantec Endpoint Protection Cloud (SEP Cloud) version 22.16.3 (or higher)

Note that the latest releases of the mentioned products are available to customers through normal support channels. At this time, Symantec is not aware of any exploitations or adverse customer impact from these issues.

Symantec recommends the following measures to reduce risk of attack:

• Restrict access to administrative or management systems to authorized privileged users.
• Restrict remote access to trusted/authorized systems only.
• Run under the principle of least privilege, where possible, to limit the impact of potential exploit.
• Keep all operating systems and applications current with vendor patches.
• Follow a multi-layered approach to security. At a minimum, run both firewall and anti-malware applications to provide multiple points of detection and protection for both inbound and outbound threats.
• Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in the detection of attacks or malicious activity related to the exploitation of latent vulnerabilities.

Acknowledgements

• CVE-2018-12244: Ayushman Dutta
• CVE-2018-18366: Discovered by Marcin 'Icewall' Noga of Cisco Talos
• CVE-2018-18367: Ilias Dimopoulos <https://www.linkedin.com/in/dimopouloselias/> (a.k.a gweeperx)
• CVE-2018-18369: hujin@topsec

References

Additional Data

Legacy ID:

Owner: Thomas Tsongas

Created: 15-APR-19 11.07.45.000000000 AM

Modified: 23-SEP-19 06.09.07.000000000 AM

Classification: Norton

Mitigation

This issue has been validated by Symantec. An update for Norton Password Manager for Android, version 6.3.0.2082, has been released to address this issue. Note that the latest Norton Password Manager release is available to customers through the Google Play Store. Symantec is not aware of any exploitations or adverse customer impact from this issue.

Symantec recommends the following measures to reduce risk of attack:

• Keep all operating systems and applications current with vendor patches.
• Follow a multi-layered approach to security. At a minimum, run both firewall and anti-malware applications to provide multiple points of detection and protection for both inbound and outbound threats.
• Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in the detection of attacks or malicious activity related to the exploitation of latent vulnerabilities.

Acknowledgements

• CVE-2019-9700: YoKo Kho <@yokoacc / yk@firstsight.me>

References

Additional Data

Legacy ID:

Owner: Thomas Tsongas

Created: 06-JUN-19 06.05.35.000000000 AM

Modified: 16-JUL-19 06.00.23.000000000 AM

Classification: Norton

Mitigation

This issue has been validated by Symantec. An update for Norton Password Manager for Android, version 6.5.0.2104, has been released to address this issue. Note that the latest Norton Password Manager release is available to customers through the Google Play Store. Symantec is not aware of any exploitations or adverse customer impact from this issue.

Symantec recommends the following measures to reduce risk of attack:

• Keep all operating systems and applications current with vendor patches.
• Follow a multi-layered approach to security. At a minimum, run both firewall and anti-malware applications to provide multiple points of detection and protection for both inbound and outbound threats.
• Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in the detection of attacks or malicious activity related to the exploitation of latent vulnerabilities.

Acknowledgements

• CVE-2019-12755: Dhiraj Mishra <@RandomDhiraj>

References

Additional Data

Legacy ID:

Owner: Thomas Tsongas

Created: 09-SEP-19 10.53.14.000000000 AM

Modified: 16-SEP-19 06.00.17.000000000 AM

Classification: Norton

Mitigation

The issue was validated by the product team engineers. A Norton App Lock update, version 1.4.0.503, has been released which addresses the aforementioned issue. Note that the latest Norton App Lock release and patches are available to customers through the Google Play Store. At this time, there is no evidence of any exploitations or adverse customer impact from this issue.

Consider the following measures to reduce risk of attack:

• Restrict access to administrative or management systems to authorized privileged users.
• Restrict remote access to trusted/authorized systems only.
• Run under the principle of least privilege, where possible, to limit the impact of potential exploit.
• Keep all operating systems and applications current with vendor patches.
• Follow a multi-layered approach to security. At a minimum, run both firewall and anti-malware applications to provide multiple points of detection and protection for both inbound and outbound threats.
• Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in the detection of attacks or malicious activity related to the exploitation of latent vulnerabilities.

Acknowledgements

• CVE-2019-18373: Yasin Yilmaz <yasinyilmaz@email.com>

References

Additional Data

Legacy ID:

Owner: Tom Tsongas

Created: 13-NOV-19 06.58.06.000000000 AM

Modified: 18-NOV-19 05.42.57.000000000 AM

Classification: Norton

Mitigation

An update for Norton Password Manager for Android, version 6.6.2.5, has been released to address these issues. Note that the latest Norton Password Manager release is available to customers through the Google Play Store. At this time, there is no evidence of any exploitations or adverse customer impact from these issues.

Acknowledgements

• CVE-2019-18381: Alesandro Ortiz <https://AlesandroOrtiz.com>
• CVE-2019-19545: Alesandro Ortiz <https://AlesandroOrtiz.com>
• CVE-2019-19546: Alesandro Ortiz <https://AlesandroOrtiz.com>

References

Additional Data

Legacy ID:

Owner: Tom Tsongas

Created: 03-DEC-19 11.12.41.000000000 AM

Modified: 05-DEC-19 05.42.32.000000000 AM

Classification: Norton

Mitigation

The issue was validated by the product team engineers. A Symantec Ghost Solution Suite (GSS) update, version 3.3 RU1, has been released which addresses the aforementioned issue. Note that the latest Symantec Ghost Solution Suite (GSS) releases and updates are available to customers through normal support channels. At this time, Symantec is not aware of any exploitations or adverse customer impact from this issue.

Symantec recommends the following measures to reduce risk of attack:

• Restrict access to administrative or management systems to authorized privileged users.
• Restrict remote access to trusted/authorized systems only.
• Run under the principle of least privilege, where possible, to limit the impact of potential exploit.
• Keep all operating systems and applications current with vendor patches.
• Follow a multi-layered approach to security. At a minimum, run both firewall and anti-malware applications to provide multiple points of detection and protection for both inbound and outbound threats.
• Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in the detection of attacks or malicious activity related to the exploitation of latent vulnerabilities.

Acknowledgements

• CVE-2018-18364: Povl TekstTV

References

Additional Data

Legacy ID:

Owner: Thomas Tsongas

Created: 22-JAN-19 11.02.02.000000000 AM

Modified: 17-JUL-19 06.00.15.000000000 AM

Classification: Norton

Mitigation

The issue was validated by the product team engineers. A Norton App Lock update, version 1.4.0.445, has been released which addresses the aforementioned issue. Note that the latest Symantec Norton App Lock release and patches are available to customers through the Google Play Store. At this time, Symantec is not aware of any exploitations or adverse customer impact from this issue.

Symantec recommends the following measures to reduce risk of attack:

• Restrict access to administrative or management systems to authorized privileged users.
• Restrict remote access to trusted/authorized systems only.
• Run under the principle of least privilege, where possible, to limit the impact of potential exploit.
• Keep all operating systems and applications current with vendor patches.
• Follow a multi-layered approach to security. At a minimum, run both firewall and anti-malware applications to provide multiple points of detection and protection for both inbound and outbound threats.
• Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in the detection of attacks or malicious activity related to the exploitation of latent vulnerabilities.

Acknowledgements

CVE-2018-18363: Jeffrey Mustard (@MustardJeffrey)

References

Additional Data

Legacy ID:

Owner: Thomas Tsongas

Created: 04-JAN-19 06.21.54.000000000 AM

Modified: 09-JAN-19 06.00.22.000000000 AM

Classification: Veritas

Mitigation

The issue was validated by the product team engineers. A Norton App Lock update, version 1.4.0.503, has been released which addresses the aforementioned issue. Note that the latest Norton App Lock release and patches are available to customers through the Google Play Store. At this time, there is no evidence of any exploitations or adverse customer impact from this issue.

Consider the following measures to reduce risk of attack:

• Restrict access to administrative or management systems to authorized privileged users.
• Restrict remote access to trusted/authorized systems only.
• Run under the principle of least privilege, where possible, to limit the impact of potential exploit.
• Keep all operating systems and applications current with vendor patches.
• Follow a multi-layered approach to security. At a minimum, run both firewall and anti-malware applications to provide multiple points of detection and protection for both inbound and outbound threats.
• Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in the detection of attacks or malicious activity related to the exploitation of latent vulnerabilities.

Acknowledgements

• CVE-2019-18373: Yasin Yilmaz <yasinyilmaz@email.com>

References

Additional Data

Legacy ID:

Owner: Tom Tsongas

Created: 13-NOV-19 06.58.06.000000000 AM

Modified: 18-NOV-19 05.42.57.000000000 AM

Classification: Veritas

Mitigation

The issue was validated by the product team engineers. A Norton Core update, v278, has been released which addresses the aforementioned issue. Note that Norton Core updates are received to devices automatically via firmware updates to the router. At this time, Symantec is not aware of any exploitations or adverse customer impact from these issues.

Symantec recommends the following measures to reduce risk of attack: 

• To ensure that Norton Core stays up to date, keep it powered on and connected to the internet

Acknowledgements

-CVE-2019-9695: Moshe Wagner <moshe.wagner@gmail.com>

References

Additional Data

Legacy ID:

Owner: Thomas Tsongas

Created: 19-MAR-19 11.23.38.000000000 AM

Modified: 10-APR-19 07.23.45.000000000 AM

Classification: Veritas

Mitigation

This issue has been validated by Symantec. Updates for Norton Password Manager, versions 6.2.0.1078 (Android) and 6.2.309 (iOS), have been released to address this issue. Note that the latest Norton Password Manager release are available to customers through the Google Play Store and the Apple App Store. Symantec is not aware of any exploitations or adverse customer impact from this issue.

Symantec recommends the following measures to reduce risk of attack:

• Keep all operating systems and applications current with vendor patches.
• Follow a multi-layered approach to security. At a minimum, run both firewall and anti-malware applications to provide multiple points of detection and protection for both inbound and outbound threats.
• Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in the detection of attacks or malicious activity related to the exploitation of latent vulnerabilities.

Acknowledgements

• CVE-2018-18365: YoKo Kho <@yokoacc / yk@firstsight.me>

References

Additional Data

Legacy ID:

Owner: Thomas Tsongas

Created: 07-FEB-19 10.59.22.000000000 AM

Modified: 14-FEB-19 06.00.36.000000000 AM

Classification: Veritas

Mitigation

An update for Norton Password Manager for Android, version 6.6.2.5, has been released to address these issues. Note that the latest Norton Password Manager release is available to customers through the Google Play Store. At this time, there is no evidence of any exploitations or adverse customer impact from these issues.

Acknowledgements

• CVE-2019-18381: Alesandro Ortiz <https://AlesandroOrtiz.com>
• CVE-2019-19545: Alesandro Ortiz <https://AlesandroOrtiz.com>
• CVE-2019-19546: Alesandro Ortiz <https://AlesandroOrtiz.com>

References

Additional Data

Legacy ID:

Owner: Tom Tsongas

Created: 03-DEC-19 11.12.41.000000000 AM

Modified: 05-DEC-19 05.42.32.000000000 AM

Classification: Veritas

Mitigation

The issue was validated by the product team engineers. A Norton Password Manager for Android (formerly Norton Identity Safe) update, version 6.1.0.1045, has been released which addresses the aforementioned issue. Note that the latest Norton Password Manager for Android release and patches are available to customers through the Google Play Store. At this time, Symantec is not aware of any exploitations or adverse customer impact from this issue.

Symantec recommends the following measures to reduce risk of attack:

• Restrict access to administrative or management systems to authorized privileged users.
• Restrict remote access to trusted/authorized systems only.
• Run under the principle of least privilege, where possible, to limit the impact of potential exploit.
• Keep all operating systems and applications current with vendor patches.
• Follow a multi-layered approach to security. At a minimum, run both firewall and anti-malware applications to provide multiple points of detection and protection for both inbound and outbound threats.
• Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in the detection of attacks or malicious activity related to the exploitation of latent vulnerabilities.

Acknowledgements

• CVE-2018-18362: Luigi Gubello <luigi.gubello@protonmail.com>

References

Additional Data

Legacy ID:

Owner: Thomas Tsongas

Created: 30-NOV-18 06.40.33.000000000 AM

Modified: 06-DEC-18 06.00.27.000000000 AM

Classification: Veritas

Mitigation

This issue has been validated by Symantec. An update for Norton Password Manager for Android, version 6.3.0.2082, has been released to address this issue. Note that the latest Norton Password Manager release is available to customers through the Google Play Store. Symantec is not aware of any exploitations or adverse customer impact from this issue.

Symantec recommends the following measures to reduce risk of attack:

• Keep all operating systems and applications current with vendor patches.
• Follow a multi-layered approach to security. At a minimum, run both firewall and anti-malware applications to provide multiple points of detection and protection for both inbound and outbound threats.
• Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in the detection of attacks or malicious activity related to the exploitation of latent vulnerabilities.

Acknowledgements

• CVE-2019-9700: YoKo Kho <@yokoacc / yk@firstsight.me>

References

Additional Data

Legacy ID:

Owner: Thomas Tsongas

Created: 06-JUN-19 06.05.35.000000000 AM

Modified: 16-JUL-19 06.00.23.000000000 AM

Classification: Veritas

Mitigation

This issue has been validated by Symantec. An update for Norton Password Manager for Android, version 6.5.0.2104, has been released to address this issue. Note that the latest Norton Password Manager release is available to customers through the Google Play Store. Symantec is not aware of any exploitations or adverse customer impact from this issue.

Symantec recommends the following measures to reduce risk of attack:

• Keep all operating systems and applications current with vendor patches.
• Follow a multi-layered approach to security. At a minimum, run both firewall and anti-malware applications to provide multiple points of detection and protection for both inbound and outbound threats.
• Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in the detection of attacks or malicious activity related to the exploitation of latent vulnerabilities.

Acknowledgements

• CVE-2019-12755: Dhiraj Mishra <@RandomDhiraj>

References

Additional Data

Legacy ID:

Owner: Thomas Tsongas

Created: 09-SEP-19 10.53.14.000000000 AM

Modified: 16-SEP-19 06.00.17.000000000 AM

Classification: Veritas

Mitigation

This issue was validated by the product team engineers. A Symantec AV Engine fix, version 13.0.9r17, has been released that addresses the aforementioned issue. Note that this update is specific to Mac endpoints only.

AV Engine updates occur automatically via LiveUpdateTM; user interaction is not directly required. Rollout of this particular update occurred on 4/24/2019. At this time, Symantec is not aware of any exploitations or adverse customer impact from this issue.

Symantec recommends the following measures to reduce risk of attack:

• Restrict access to administrative or management systems to authorized privileged users.
• Restrict remote access to trusted/authorized systems only.
• Run under the principle of least privilege, where possible, to limit the impact of potential exploit.
• Keep all operating systems and applications current with vendor patches.
• Follow a multi-layered approach to security. At a minimum, run both firewall and anti-malware applications to provide multiple points of detection and protection for both inbound and outbound threats.
• Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in the detection of attacks or malicious activity related to the exploitation of latent vulnerabilities.

Acknowledgements

• CVE-2019-9698: RACK911 Labs https://www.rack911labs.com/

References

Additional Data

Legacy ID:

Owner: Thomas Tsongas

Created: 01-MAY-19 06.50.17.000000000 AM

Modified: 08-MAY-19 11.55.39.000000000 AM

Classification: Veritas

Mitigation

A Norton Power Eraser update, version 5.3.0.67, has been made available to address this issue. The latest Norton Power Eraser downloads are available to customers via the Norton Support portal. At this time, there is no evidence of any attempts at this exploit in the wild.

Acknowledgements

• - CVE-2019-19548: Eran Shimony <@EranShimony> of CyberArk Labs

References

Additional Data

Legacy ID:

Owner:

Created:

Modified:

Classification: