Bugtraq mailing list archives
Norton Utilities 2.0 Vulnerability
From: aleph1 () DFW NET (Aleph One)
Date: Thu, 10 Apr 1997 22:23:46 -0500
CUPERTINO, Calif. (April 8, 1997 5:13 p.m. EDT) -- Symantec Corp. is readying a fix for a security flaw in its popular Norton Utilities software. The bug can leave personal computer users vulnerable to outside attack when users of Norton Utilities 2.0 for Windows 95 get on the World Wide Web through Microsoft Corp.'s Internet Explorer. The problem was discovered last week by Symantec rival McAfee Associates, which reported it to the Windows Sources newsletter, which ran its own tests. Windows Sources informed Symantec on Monday. "As soon as we found there was a flaw, we put a fix together," said Tom Andrus, Symantec's senior product manager. "We plan to put it on the Web ... today (Tuesday)." Symantec estimates that about 250,000 people use Norton Utilities, which lets PC users back up files, protect data and prevent damage from viruses. But it is not known how many users of Norton Utilities 2.0 for Windows 95 connect to the Web through Internet Explorer. Symantec said no breaches have been reported aside from tests run by McAfee and Windows Sources. The security flaw allows the Symantec program to accept commands from the out side. In theory, an outsider could alter or destroy data or gather information from the computer. Symantec said users of Norton Utilities 2.0 for Windows will be able to get the flaw fixed by clicking on the "live update" button in the program. The program will search the Web for the patch, download and install it. Windows Sources said Norton Utilities exposes a weakness in in Microsoft's A ctive-X technology used in its browser. The technology lets PC users download small software applications from the Web onto their computers. While the flaw is known to occur only in combination with Norton Utilities 2. 0 for Windows 95 and Internet Explorer, "there could be other combinations of application and Active-X-based browsers that are equally vulnerable," said Windows Sources. Microsoft, however, said the Active-X technology is safe. "This was an honest mistake by Symantec, which they are correcting," said Cornelius Willis, head of platform marketing for Microsoft. "Active-X security still works." Symantec said it had no problem with McAfee's making the flaw public. But it blasted its rival for not telling it directly. Andrus said that when Symantec engineers find bugs in other companies' software, it lets those companies know. "I think we were taken aback that they would go to the press, create something akin to a virus and then basically show the world how to do that," he said. "We found that rather slimy." But McAfee spokesman Mark Coker said the company believed it was important to have a third party test and publicize the problem as soon as possible. He called Symantec's accusation "kind of a shock." "They are just trying to draw attention away from their responsibility for the problem," he said. -- ____Graham-John Bullers____www.Freenet.Edmonton.ab.ca/~real/index.html____ Lord grant me the serenity to accept the things I cannot change.The courage to change the things I can.And the wisdom to hide the bodies of the people I had to kill because they pissed me off.________alt.2600.moderated________ [end of message ... text also available at <url:http://www.reference.com/cgi-bin/pn/go?choice=message&table=04_1997&mid=1323625&hilit=FLAW+SECURITY> ]
Current thread:
- qualcomm POP server David Sacerdote (Apr 09)
- Buglet in Bind 4.9.5 Alan Brown (Apr 09)
- Buglet in Bind 4.9.5. [SUMMARY] Alan Brown (Apr 10)
- CIAC Bulletin H-45: Windows NT SAM permission Vulnerability Aleph One (Apr 10)
- Norton Utilities 2.0 Vulnerability Aleph One (Apr 10)
- L0pht Advisory: release of L0phtCrack for NT Aleph One (Apr 11)
- New source address for Sun Security Bulletins Aleph One (Apr 11)
- [LINUX] IP_MASQ / Ethernet Passing Traffic After Halt Sean B. Hamor (Apr 11)