|
Symantec Support Tool ActiveX Control Vulnerabilities
|
|
|
|
|
Secunia Advisory:
|
SA22228
|
|
|
Release Date:
|
2006-10-06
|
|
Last Update:
|
2006-10-27
|
|
|
Critical:
|
Less critical
|
|
Impact:
|
Exposure of system information
System access
|
|
Where:
|
From remote
|
|
Solution Status:
|
Vendor Patch
|
|
| Software: | Symantec Automated Support Assistant
Symantec Norton AntiVirus 2005
Symantec Norton AntiVirus 2006
Symantec Norton Internet Security 2005
Symantec Norton Internet Security 2006
Symantec Norton SystemWorks 2005
Symantec Norton SystemWorks 2006
|
| | CVE reference: | CVE-2006-5403 (Secunia mirror)
CVE-2006-5404 (Secunia mirror)
|
|
|
Want to know the next time vulnerabilities are fixed in this product?
- Companies can be alerted via email and SMS! |
|
|
Description:
Some vulnerabilities have been reported in Support Tool ActiveX Control included in various Symantec products, which potentially can be exploited by malicious people to disclose system information or to compromise a vulnerable system.
1) An unspecified input validation error exists, which can be exploited to gain unauthorized access to system information.
2) An unspecified boundary error exist, which can be exploited to cause a stack-based buffer overflow and may allow execution of arbitrary code with privileges of the user running the browser.
Successful exploitation requires spoofing of a trusted domain web site and to trick the user to click on a malicious link.
The following products are affected:
* Symantec Automated Support Assistant
* Symantec Norton AntiVirus 2005, 2006
* Symantec Norton Internet Security 2005, 2006
* Symantec Norton SystemWorks 2005, 2006
Do you have this product installed on your home computer? Scan using the free Personal Software Inspector. Check if a vulnerable version is installed on computers in your corporate network, scan using the Network Software Inspector.
Solution:
Norton AntiVirus, Norton Internet Security, Norton System Works:
Apply latest updates via LiveUpdate.
Automated Support Assistant:
Update to the latest version.
https://www-secure.symantec.com/techsupp/asa/install.jsp
Provided and/or discovered by:
The vendor credits John Haesman, Next Generation Security Research.
Changelog:
2006-10-27: Added CVE reference.
Original Advisory:
http://securityresponse.symantec.com/avcenter/security/Content/2006.10.05.html
|
|
|
|
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
|
|
|
13 Related Secunia Security Advisories, displaying 10
|
|
|
1. Symantec Products AutoFix Support Tool ActiveX Control Two Vulnerabilities
|
|
2. Symantec Products CAB and RAR Archive Handling Vulnerabilities
|
|
3. Symantec Products SYMTDI.SYS IOCTL Handler Privilege Escalation
|
|
4. Symantec Products NavComUI ActiveX Control Code Execution
|
|
5. Symantec Products NAVOpts.dll ActiveX Control Security Bypass Vulnerability
|
|
6. Symantec Multiple Products SupportSoft ActiveX Controls Buffer Overflow
|
|
7. Symantec Products IOCTL Handler Privilege Escalation
|
|
8. Symantec Multiple Products Denial of Service
|
|
9. Symantec Norton SystemWorks Protected Recycle Bin Weakness
|
|
10. Symantec AntiVirus RAR Archive Decompression Buffer Overflow
|
Show all related advisories
|
|
|
Send Feedback to Secunia
|
|
If you have new information regarding this Secunia advisory or a product in our database, please send it to us using either our web form or email us at vuln@secunia.com.
Ideas, suggestions, and other feedback are most welcome.
|
|
|
|
