By Dan Goodin in San Francisco
9th August 2007
In a world where digital gremlins seem to lurk in almost every shadow,
many of us feel safer using an internet security package. But for those
using many Norton security products who haven't updated recently, that
feeling is a false sense of security.
That's because a nasty bug residing in two ActiveX controls used in
Norton's PC software could allow an attacker to remotely execute code on
the user's machine. Symantec is advising users to immediately update
affected versions, which include the 2006 versions of Norton AntiVirus,
Norton Internet Security, and Norton System Works and the 2005 version
of Norton Internet Security, Anti Spyware Edition.
"This error could allow an attacker to crash Internet Explorer, or
possibly run arbitrary code with the rights of the logged in user,"
Symantec warned. The attacker would first have to lure a vulnerable
machine to a booby-trapped website, the advisory added.
Secunia rates the flaw "highly critical," the second-highest category in
its five-tier rating system.
The bug is the result of an "input validation" error, which fails to
analyze incoming data for malicious commands before executing them.
Norton is encouraging all users to run the program's Live Update feature
Visit the InfoSec News book store!