Thread-topic: [SA22228] Symantec Support Tool ActiveX Control Vulnerabilities
>
> TITLE:
> Symantec Support Tool ActiveX Control Vulnerabilities
>
> SECUNIA ADVISORY ID:
> SA22228
>
> VERIFY ADVISORY:
>
>
> CRITICAL:
> Less critical
>
> IMPACT:
> Exposure of system information, System access
>
> WHERE:
> From remote
>
> SOFTWARE:
> Symantec Automated Support Assistant
>
> Symantec Norton AntiVirus 2005
>
> Symantec Norton AntiVirus 2006
>
> Symantec Norton Internet Security 2005
>
> Symantec Norton Internet Security 2006
>
> Symantec Norton SystemWorks 2005
>
> Symantec Norton SystemWorks 2006
>
>
> DESCRIPTION:
> Some vulnerabilities have been reported in Support Tool ActiveX
> Control included in various Symantec products, which potentially can
> be exploited by malicious people to disclose system information or to
> compromise a vulnerable system.
>
> 1) An unspecified input validation error exists, which can be
> exploited to gain unauthorized access to system information.
>
> 2) An unspecified boundary error exist, which can be exploited to
> cause a stack-based buffer overflow and may allow execution of
> arbitrary code with privileges of the user running the browser.
>
> Successful exploitation requires spoofing of a trusted domain web
> site and to trick the user to click on a malicious link.
>
> The following products are affected:
> * Symantec Automated Support Assistant
> * Symantec Norton AntiVirus 2005, 2006
> * Symantec Norton Internet Security 2005, 2006
> * Symantec Norton SystemWorks 2005, 2006
>
> SOLUTION:
> Norton AntiVirus, Norton Internet Security, Norton System Works:
> Apply latest updates via LiveUpdate.
>
> Automated Support Assistant:
> Update to the latest version.
>
>
> PROVIDED AND/OR DISCOVERED BY:
> The vendor credits John Haesman, Next Generation Security Research.
>
> ORIGINAL ADVISORY:
>
> /2006.10.05.html
>
