Symantec, makers of several home security applications, issued an alert and patch to users who have Norton AntiVirus, Internet Security, or System Works 2005 or 2006 installed on their computers. The warning is related to an Active X control that is used by Symantec’s consumer products. Enterprise software is not affected by this vulnerability. If exploited the vulnerability could allow potential remote and local access to the target computer Symantec said.
“Symantec was notified by iDefense that a design error in NAVOPTS.DLL, an ActiveX control used by Norton AntiVirus, could potentially allow an attacker to crash the control if the end user visits a malicious web site. A successful exploit of NAVOPTS.DLL could then allow the attacker to access other Symantec ActiveX controls, even if they are not marked safe for scripting, possibly leading to remote arbitrary code execution in the context of the user's browser,” said a the company in a statement.
Engineers discovered the flaw after a report from iDefense alerted them to an issue. It was later discovered that the issue was limited to only consumer products, but the number of people who could be affected are just as large as their corporate user base.
The vulnerability is only exploited by visiting a malicious website. Some common methods to exploit the flaw Symantec said are though website redirection, malicious emails, and internal website functions such as hidden iframes.
To correct the issue, users need to run Live Update manually and the patch will be delivered. Warning about issues like this, Symantec gave some advice on how to mitigate such issues in the future. “Symantec strongly recommends a multi-layered approach to security,” the company said.
Listing such actions as keeping all operating systems and applications updated with the latest vendor patches. Being cautious when receiving attachments, executables, and web links through email, never open email from unknown senders. Email addresses can easily be spoofed so that a message appears to come from someone you know. If in doubt, contact the sender to confirm they sent it before opening attachments or following web links.
By Steve Ragan