Symantec Fixes 'Highly Critical' Bug In Norton

Symantec released a patch for what's being called a "highly critical" bug in two ActiveX controls used in several Norton security products.

The company released an advisory on Thursday that there is an input validation error in two ActiveX controls, which are used in Norton AntiVirus, Norton Internet Security, and Norton System Works. Symantec noted that versions of its AntiVirus Corporate Edition or Symantec Client Security are not affected by the vulnerability.

U.S.-CERT reported that an attacker may be able to execute arbitrary code on an affected system by enticing a user to view a specially crafted html document. Generally, users are duped into either opening a malicious attachment in an e-mail or are lured to a malicious Web page with the infectious code embedded within it.

Symantec patched the flaw, which the company itself said has a "high" risk impact. Secunia, another security vendor, gave it a "highly critical" rating. The fix is available in LiveUpdate in Interactive Mode.

Secunia reported that the vulnerabilities are caused by errors in the AxSysListView32 and AxSysListView32OAA ActiveX controls (NavComUI.dll) when handling the "AnomalyList" and "Anomaly" properties respectively, as they take a VARIANT* as argument.

The security company said its researchers have not found any exploits circulating for these bugs and have not been made aware of any customers affected by the vulnerabilities. The company is crediting Carsten Eiram, a researcher with Secunia, for reporting the bug and working with Symantec on the response.

In May, Symantec warned users that an ActiveX control in its Norton Internet Security product could enable a remote hacker to take over the system. According to a Symantec advisory, an ActiveX control used by Norton Personal Firewall 2004 and Norton Internet Security 2004 contained a buffer overflow vulnerability. Researchers at U.S.-CERT notified Symantec of the vulnerability.