Title

Multiple Vulnerabilities in Symantec Products (Cat II impact)

Discussion

Symantec has released multiple security advisories addressing multiple vulnerabilities in various Symantec products. To exploit these vulnerabilities, a remote attacker would create and send malicious data to an affected system to bypass the scanning of malicious content or host a malicious web site and entice a user to access the link or site sent via email. If successfully exploited, these vulnerabilities would allow the remote attacker to compromise the affected system. Failed exploits may result if a denial of service condition. At this time, there are no known exploits associated with these vulnerabilities; JTF-GNO is not aware of any DoD related incidents. Symantec Event Manipulation Potential Scan Bypass - (CVE-2010-0106): Symantec AntiVirus and Symantec Endpoint Protection Symantec on-demand scan bypass vulnerability . If Symantec Tamper protection is disabled, it is possible to potentially bypass scanning by having another entity deny read access to Symantec AntiVirus or Symantec Enterprise Protection. Should an attacker succeed in passing sufficient specific events to the application, on-demand scans could potentially cease to run. The application will no longer accept the users current token degrading the on-demand scan capability while the user remains logged on. Buffer Overflow Vulnerability in in SYMLTCOM.dll - (CVE-2010-0107): A browser-based ActiveX input validation issue in SYMLTCOM.dll that can potentially be used to produce a buffer overflow. Improperly validated information sent to the .dll can reduce the stability of the products by overwriting unauthorized portions of memory. This failure could potentially result in a browser crash or, possibly unauthorized use of methods allowing access to system information. If successfully exploited, this issue could result in a stack overflow with the potential for malicious code execution in the context of the users browser. The impact of this threat is considerably lessened as it requires leveraging other vulnerabilities to gain access to the system. It can only be used against a specific domain. To exploit successfully, an attacker would need to be able to effectively masquerade as an authorized site and entice a user to click on their specific URL for the malicious code to successfully impact the customers system. Symantec Client Proxy Buffer Overflow in Older Product Versions - (CVE-2010-0108): ActiveX buffer overflow vulnerability in the Symantec Client Proxy, CLIproxy.dll. The issue impacts the client-side only, is done under the user account and does not lead to an escalation of privilege. It is possible to craft specific HTML webpages that pass information to proxy without proper boundary checking. The impact of this threat requires user interaction to either click on a link directing them to the specially created html website or otherwise be exposed to said HTML in the constraints of a web browser.

Check Content

See IAVM notice and vendor bulletin for additional information. Vulnerable Applications/Systems: Symantec AntiVirus 10.0.x Symantec AntiVirus 10.1.x Symantec AntiVirus 10.2.x Symantec Client Security 3.0.x Symantec Client Security 3.1.x Norton Internet Security 2006 thru 2008 Norton AntiVirus 2006 thru 2008 Norton SystemWorks 2006 thru 2008 Fix Action: Symantec AntiVirus 10.0.x – Upgrade to SAV 10.1 MR9 Symantec AntiVirus 10.1.x – Upgrade to MR9 Symantec AntiVirus 10.2.x – Upgrade to MR4 Symantec Client Security 3.0.x – Upgrade to SCS 3.1 MR9 Symantec Client Security 3.1.x – Upgrade to MR9 Norton Internet Security 2006 thru 2008 – Run LiveUpdate in interactive mode Norton AntiVirus 2006 thru 2008 – Run LiveUpdate in interactive mode Norton SystemWorks 2006 thru 2008 – Run LiveUpdate in interactive mode View Help, About from the application’s menu to determine version.

Fix Text

Additional Identifiers

Rule ID:

Vulnerability ID: V-22694

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.