McAfee, Symantec Exterminate ActiveX Bugs

However, the ActiveX vulnerabilities -- one in McAfee Security Center, a management interface for its antivirus and antispam software, the other in Symantec's Norton Antivirus product -- don't appear to be connected to the ongoing Month Of ActiveX Bugs project.

The "McSubMgr.DLL" ActiveX control in McAfee Security Center contains a flaw that could enable an attacker to corrupt memory by sending an excessive amount of data, opening the door to remote code execution, Symantec said in a Wednesday Deepsight Threat Management bulletin.

To exploit the vulnerability, a miscreant would have to trick a user into clicking on a malicious link in an e-mail or on a Web page, McAfee said in an advisory.

McAfee said the flaw affects products that are managed through Security Center, including Total Protection 2007, VirusScan 8.x, 9.x, 10.x, and VirusScan Plus 2007.

Sponsored post

Santa Clara, Calif.-based McAfee said it fixed the vulnerability in March with Security Center updates 7.2.147 and 6.0.25, which many of its customers received automatically.

McAfee rated the flaw's severity as "medium," but Symantec saw it as more serious, giving it a rating of 8.3 on its 10-point scale on the grounds that an exploit is circulating.

Meanwhile, Symantec this week acknowledged a buffer overflow vulnerability in the ActiveX control that ships with its popular Norton Antivirus software.

Like the McAfee bug, an attacker would have to get an unsuspecting user to click on a malicious link, but a successful ruse would bring the ability to execute malicious code, Symantec said.

Symantec said it has released an update for Norton that fixes the flaw and has made it available to customers through its LiveUpdate service.

Cupertino, Calif.-based Symantec rated the flaw's severity as 8.3 out of 10. McAfee didn't rate the Symantec bug, but Danish security research firm Secunia said it was "moderately critical," or 3 out of 5.

Both vulnerabilities were discovered by researcher Peter Vreugdenhil and reported to the vendors through Verisign's IDefense Labs.