The industry's two largest security vendors broke out cans of Raid this week to deal with nasty security bugs invading their antivirus software.
However, the ActiveX vulnerabilities -- one in McAfee Security Center, a management interface for its antivirus and antispam software, the other in Symantec's Norton Antivirus product -- don't appear to be connected to the ongoing Month Of ActiveX Bugs project.
The "McSubMgr.DLL" ActiveX control in McAfee Security Center contains a flaw that could enable an attacker to corrupt memory by sending an excessive amount of data, opening the door to remote code execution, Symantec said in a Wednesday Deepsight Threat Management bulletin.
To exploit the vulnerability, a miscreant would have to trick a user into clicking on a malicious link in an e-mail or on a Web page, McAfee said in an advisory.
McAfee said the flaw affects products that are managed through Security Center, including Total Protection 2007, VirusScan 8.x, 9.x, 10.x, and VirusScan Plus 2007.
Santa Clara, Calif.-based McAfee said it fixed the vulnerability in March with Security Center updates 7.2.147 and 6.0.25, which many of its customers received automatically.
McAfee rated the flaw's severity as "medium," but Symantec saw it as more serious, giving it a rating of 8.3 on its 10-point scale on the grounds that an exploit is circulating.
Meanwhile, Symantec this week acknowledged a buffer overflow vulnerability in the ActiveX control that ships with its popular Norton Antivirus software.
Like the McAfee bug, an attacker would have to get an unsuspecting user to click on a malicious link, but a successful ruse would bring the ability to execute malicious code, Symantec said.
Symantec said it has released an update for Norton that fixes the flaw and has made it available to customers through its LiveUpdate service.
Cupertino, Calif.-based Symantec rated the flaw's severity as 8.3 out of 10. McAfee didn't rate the Symantec bug, but Danish security research firm Secunia said it was "moderately critical," or 3 out of 5.
Both vulnerabilities were discovered by researcher Peter Vreugdenhil and reported to the vendors through Verisign's IDefense Labs.
|
Symantec's Code Red: The Law Enforcement/Anonymous E-Mail Exchange Law enforcement officials negotiated via e-mail for more than two weeks with an Anonymous group member trying to extort $50,000 from Symantec to keep stolen product code off the Internet. |
|
How To Sell IT Security Services To Your Customers Cyberattacks can cost a business thousands, even millions, of dollars, and can deal a death blow to some. Here's how IT solution providers can help guard against malicious attacks. |
|
Cybersecurity Experts: What They Know Could Scare You A recent report based on interviews with security experts in government, business and academia finds more than half in agreement that a worldwide arms race is taking place in cyberspace. |
 More
Slide Shows |
- McAfee Chides TippingPoint In QuickTime Vulnerability Disclosure
- McAfee Targets Websense In Data Leak Prevention Mudfight
- ActiveX Targeted For May 'Month of Bugs' Security Reports
- Microsoft Shows Its Love In Valentine's Day Patch Release
- Worker Abuse Protest Targets Apple, Supplier Foxconn
- McAfee Rolls Out Patch For Anti-Malware Service
- New McAfee Channel Chief Promises Recertification Changes
- Symantec Says Anonymous Behind Extortion Plot
- Symantec Backup Exec 2012 Is All About The Cloud
- Insider Threats: The Next Frontier for Security Resellers and SMBs
- Complete Security and Your Bottom Line: Sophos, Value and the Channel
- Tough Threats, Tougher Security: How You Can Leverage New Solutions To Combat A “Targeted Attack” Landscape
- Dark Clouds Ahead: Why the Mid-Market Needs To Ramp Up Cloud Security and How You Can Help Them Get There
