Stack Overflow in Third-Party ActiveX Controls affects Multiple Vendor Products Including Some Symantec Consumer Products and Automated Support Feb 23 2007 09:01PM
secure symantec com (1 replies)
Re: Stack Overflow in Third-Party ActiveX Controls affects Multiple Vendor Products Including Some Symantec Consumer Products and Automated Support Feb 23 2007 09:47PM
John Smith (genericjohnsmith gmail com)
This advisory says that tgctlsi.dll and tgctlsr.dll are vulnerable,
however SupportSoft is only providing an update for tgctlsi.dll
(http://www.supportsoft.com/support/controls_update.asp). Does
tgctlsr.dll call into tgctlsi.dll where the true vulnerability
exists, did tgctlsr.dll turn out not to be vulnerable, or has
SupportSoft just not provided a fix for tgctlsr.dll?



On Feb 23, 2007, at 9:01 PM, secure (at) symantec (dot) com [email concealed] wrote:

> Symantec Security Advisory
> SYM07-002
> http://www.symantec.com/avcenter/security/Content/2007.02.22.html
> BID 22564
> 22 Feb, 2007
> Stack Overflow in Third-Party ActiveX Controls affects Multiple
> Vendor Products Including Some Symantec Consumer Products and
> Automated Support
> Assistant
> Revision History
> None
> Severity
> High (dependent on configuration and user interaction)
> BID22564
> http://www.symantec.com/avcenter/security/Content/2007.02.22.html
> Remote Access Yes
> Local Access No
> Authentication Required No
> Exploit publicly available No
> Overview
> Vulnerabilities were identified in third-party trouble-shooting
> ActiveX
> controls, developed by SupportSoft, www.supportsoft.com . Two of
> these controls were signed, shipped and installed with the
> identified versions of Symantec?s consumer products and as part of
> the Symantec Automated Support Assistant
> support tool. The vulnerability identified in the Symantec shipped
> controls could potentially result in a stack overflow requiring
> user interaction to exploit. If successfully exploited this
> vulnerability could potentially compromise a user?s system possibly
> allowing execution of arbitrary code or unauthorized access to system
> assets with the permissions of the user?s browser.
> Supported Symantec Product(s) Affected
> Product Solution(s)
> Symantec Automated Support Assistant
> Update Available
> Symantec Norton AntiVirus 2006
> Update Available
> Symantec Norton Internet Security 2006
> Update Available
> Symantec Norton System Works 2006
> Update Available
> Symantec Products NOT Affected
> Product(s) Version
> Symantec 2007 Consumer Products All
> Symantec Norton 360
> Symantec Corporate and Enterprise Products All
> NOTE: Only Symantec Consumer products indicated as affected above
> shipped with these vulnerable components. The Symantec Automated
> Support Assistant is used by online consumer customer support when
> a consumer customer visits the support site requiring assistance.
> The Automated Support Assistant tool aids in providing the user
> with solution information to their problems. TheSupportSoft
> ActiveX controls were initially implemented mid-2005 on Symantec's
> consumer support site. During the timeframe up to
> August 2006, when the non-vulnerable controls were made available,
> vulnerable controls could potentially be installed by the Automated
> Support Assistant on customer systems running Symantec
> consumer products and versions other than those listed above.
> See Symantec Response section to determine if your product has a
> vulnerable version of the Automated Support Assistant fix tool.
> Symantec Corporate and Enterprise products do not ship with these
> components and are NOT vulnerable to this issue.
> Details
> Symantec was initially alerted by Next Generation Security Software
> (NGSS), to stack overflow and unauthorized access vulnerabilities
> identified in two SupportSoft ActiveX controls, SmartIssue
> tgctlsi.dll and ScriptRunner tgctlsr.dll, that Symantec signed and
> shipped with some of Symantec?s 2006 consumer products and used by
> the Symantec Automated Support Assistant support tool Symantec
> provides onits consumer support site.
> These SupportSoft ActiveX components did not properly validate
> external input. This failure could potentially lead to
> unauthorized access to system resources or the possible execution of
> malicious code with the privileges of the user?s browser, resulting
> in a potential compromise of the user?s system.
> Any attempt to exploit these issues would require interactive user
> involvement. An attacker would need to be able to effectively
> entice a user to visit a malicious web site where their malicious
> code was hosted
> or to click on a malicious URL in any attempt to compromise the
> user?s system. While these SupportSoft-developed components should
> also
> have been effectively site-locked, which would havefurther reduced
> the severity, this capability was found to be improperly
> implemented in the vulnerable versions.
> Symantec Response
> Symantec worked closely with SupportSoft to ensure updates were
> quickly made available for the identified controls. SupportSoft
> has posted a
> Security Bulletin, http://www.supportsoft.com/support/
> controls_update.asp,
> for the controls Symantec uses and controls used in other products
> on their support site, www.supportsoft.com.
> Symantec immediately removed the vulnerable controls from its
> consumer support site. Symantec engineers tested the updates
> provided by
> SupportSoft extensively and once tested updated the Symantec
> Automated Support Assistant on Symantec's support site.
> Additionally, in November 2006, the vulnerable versions of these
> controls were disabled through LiveUpdate for Symantec consumer
> customers who regularly run interactive updates to their Symantec
> applications.
> Those Symantec consumer customers who rely solely on Automatic
> LiveUpdate would have received an automatic notification to
> initiate an
> interactive LiveUpdate session to obtain all pending updates. To
> ensure all updates have been properly retrieved and applied to
> Symantec
> consumer products, users should regularly run an interactive
> LiveUpdate session as follows:
> * Open any installed Symantec consumer product
> * Click on LiveUpdate in the GUI toolbar
> * Run LiveUpdate until all available Symantec product updates are
> downloaded and installed or you are advised that your system has
> the latest
> updates available.
> Symantec recommends customers always ensure they have the latest
> updates to protect against threats.
> Symantec customers who previously downloaded the Symantec Automated
> Support Assistant tool beginning in July 2005 and those who have
> installed versions of the consumer products indicated above may
> also go to the Symantec
> support site, https://www-secure.symantec.com/techsupp/asa/
> install.jsp to ensure they have the updated version of the
> Automated Support Assistant fix tool. By
> downloading the updated version of the Symantec Automated Support
> Assistant fix tool, any existing legacy controls are updated with
> non-vulnerable
> versions.
> Customers, who have received support assistance since August 2006,
> will already have the latest non-vulnerable versions of these
> controls.
> Symantec has not seen any active attempts against or customer
> impact from these issues.
> Mitigation
> Symantec Security Response is releasing an AntiVirus Bloodhound
> definition
> Bloodhound.Exploit.119, a heuristic detection and prevention for
> attempts to exploit these vulnerable controls. Virus definitions
> containing this heuristic will be available through Symantec
> LiveUpdate or Symantec's Intelligent Updater.
> IDS signatures have also been released to detect and block attempts
> to exploit this issue. Customers using Symantec Norton Internet
> Security or Norton Personal Firewall receive regular signature
> updates if they run LiveUpdate automatically. If not using the
> Automatic LiveUpdate function, Symantec recommends customers
> interactively run Symantec LiveUpdate frequently to ensure they
> have the most current protection available.
> Establishing more secure Internet zone settings for the local user
> can prohibit activation of ActiveX controls without the user?s
> consent.
> An attacker who successfully exploited this vulnerability could
> gain the user rights of the local user. Users whose accounts are
> configured to have fewer user rights on the system would be less
> impacted than users who operate with administrative privileges.
> As always, if previously unknown malicious code were attempted to
> be distributed in this manner, Symantec Security Response would
> react quickly
> to updated definitions via LiveUpdate to detect and deter any new
> threat(s).
> Best Practices
> As part of normal best practices, Symantec strongly recommends a
> multi-layered approach to security:
> * Run under the principle of least privilege where possible.
> * Keep all operating systems and applications updated with the
> latest vendor patches.
> * Users, at a minimum, should run both a personal firewall and
> antivirus application with current updates to provide multiple
> points of detection
> and protection to both inbound and outbound threats.
> * Users should be cautious of mysterious attachments and
> executables delivered via email and be cautious of browsing unknown/
> untrusted websites or clicking on unknown/untrusted URL links.
> * Do not open unidentified attachments or executables from unknown
> sources or that you didn't request or were unaware of.
> * Always err on the side of caution. Even if the sender is known,
> the source address may be spoofed.
> * If in doubt, contact the sender to confirm they sent it and why
> before opening the attachment. If still in doubt, delete the
> attachment without
> opening it.
> A CVE Candidate CVE-2006-6490 has been assigned. This issue is a
> candidate for inclusion in the CVE list (http://cve.mitre.org),
> which standardizes
> names for security problems.
> Credit:
> Symantec has coordinated very closely with SupportSoft to help
> ensure that all additional affected vendor customer bases has been
> provide with information concerning affected controls and updates
> to address the vulnerability.
> Symantec wants to thank Mark Litchfield of NGS Software Ltd. for
> the initial identification and notification of this issue and for the
> excellent, in-depth coordination with both Symantec and SupportSoft
> while resolving the issue.
> Additionally, this issue was independently identified by the
> analysts at CERT,
> in CERT Vulnerability Note VU#441785, who reported their findings
> to and worked closely with both Symantec and SupportSoft through to
> resolution
> and by Peter Vreugdenhil, working through iDefense who coordinated
> with Symantec as we resolved the issue.
> Symantec takes the security and proper functionality of its
> products very seriously. As founding members of the Organization
> for Internet Safety (OISafety), Symantec follows the principles of
> responsible disclosure.
> Symantec also subscribes to the vulnerability guidelines outlined
> by the National Infrastructure Advisory Council (NIAC). Please contact
> secure (at) symantec (dot) com [email concealed] if you feel you have discovered a potential or
> actual security issue with a Symantec product. A Symantec Product
> Security team member will contact you regarding your submission.
> Symantec has developed a Product Vulnerability Handling Process
> document outlining the process we follow in addressing suspected
> vulnerabilities in
> our products.
> We support responsible disclosure of all vulnerability information
> in a timely manner to protect Symantec customers and the security
> of the
> Internet as a result of vulnerability. This document is available from
> http://www.symantec.com/security/
> Symantec strongly recommends using encrypted email for reporting
> vulnerability information to secure (at) symantec (dot) com. [email concealed] The Symantec Product
> Security PGP key can be obtained from the location provided above.

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus