Symantec Security Flaw Still A Threat

Independent security researcher Cesar Cerrudo posted an advisory late Sunday night to the security mailing list Full Disclosure that described a buffer overflow problem in Symantec's free online Security Check service, which is used to check systems for common security vulnerabilities and attacks. The flaw resided in an ActiveX control used by Security Check to examine a computer system. A buffer overflow attack on the "Symantec RuFSI Utility Class" control could crash a user's system and let an attacker run software of his or her choice.

Cerrudo didn't directly inform Symantec of the vulnerability, but the security vendor did learn about it from Currudo's posting to the mailing list. Symantec issued its own advisory Monday evening to the security mailing list Bugtraq that said the vendor has fixed the problem and that users who now scan their systems won't be affected by the flaw.

However, ActiveX controls are downloaded onto a user's computer. So users who don't rescan their systems with Security Check and download the new ActiveX control would still have the flawed software on their computers. ActiveX is the name for Microsoft software used to run small programs.

Millions of Symantec customers who used the free Security Check service could still be at risk for attack, security experts say. "I can definitely foresee an attempt to en masse exploit this in the foreseeable future," says Russ Cooper, surgeon general for the security services firm TruSecure Corp. Such an attack could come in the form of a maliciously designed Web site or a virus or worm that attempts to attack the vulnerability.

The flaw also could affect even those who never used Symantec's service. Someone could take a copy of the vulnerable ActiveX control, which contains a digital signature, and use that software to infect others, says Chris Wysopal, director of research and development for security company @Stake Inc. People who visit a Web site that attempts to download the ActiveX control will be asked whether they want to download the app. But the application will appear to be legitimately signed by Symantec, he says. "I think most users would decide its OK to trust the download," he says.

As a result, security experts say Symantec should be doing more to warn users of the security threat. The company isn't making great efforts to warn users that they may have a serious security hole on their computers as a result of using the free security-scanning service. The vendor's home page late Wednesday night contained a security advisory on a Sun Microsystems database buffer overflow vulnerability, but there's no warning about its own ActiveX vulnerability.

As of late Thursday afternoon, three days after its original security advisory, Symantec posted the security advisory about this vulnerability prominently on the vendor's homepage

The vulnerability also isn't mentioned on the vendor's Security Response page, where it usually highlights the latest viruses, worms, and software security vulnerabilities. The advisory for Symantec's own vulnerability is buried three pages deep and titled "Symantec Security Check ActiveX Buffer Overflow."

"Flaws like this are especially embarrassing for security companies," says Pete Lindstrom, director of research for Spire Security. "For a service intended to be used by so many users, and given the business that they are in, you would hope they would step up to the plate and accept their mistake a little more boldly."

Cooper agrees: "I think there definitely needs to be some sort of warning plus advisory on the Symantec home page and again on the Symantec Security Check site. The only reason I can think of as to why they haven't so far is because they feel it would be detrimental to their marketing."

Symantec didn't respond to requests for comment. How many Symantec customers who may still have the vulnerable ActiveX software on their systems remains unclear. The company did issue a press release in December stating that 30 million users have turned to the Symantec Security Check "to identify and address online safety threats to their personal computers."

Symantec did post an advisory to the Bugtraq security mailing list. But the readership of Bugtraq, which is owned by Symantec, is made up of security professionals, not the home users and small businesses most likely to use Symantec's free security checkup service.

This story courtesy of InformationWeek .