Norton Utilities 2.0 Vulnerability

[aleph1 () DFW NET (Aleph One)]

  CUPERTINO, Calif. (April 8, 1997 5:13 p.m.  EDT) -- Symantec
Corp. is readying a fix for a security flaw in its popular
Norton Utilities software.


   The bug can leave personal computer users vulnerable to
outside attack when users of Norton Utilities 2.0 for Windows 95
get on the World Wide Web through Microsoft Corp.'s Internet
Explorer.

   The problem was discovered last week by Symantec rival McAfee
Associates, which reported it to the Windows Sources newsletter,
which ran its own tests. Windows Sources informed Symantec on
Monday.

   "As soon as we found there was a flaw, we put a fix together,"
said Tom Andrus, Symantec's senior product manager. "We plan to
put it on the Web ... today (Tuesday)."

   Symantec estimates that about 250,000 people use Norton
Utilities, which lets PC users back up files, protect data and
prevent damage from viruses. But it is not known how many users
of Norton Utilities 2.0 for Windows 95 connect to the Web
through Internet Explorer.

   Symantec said no breaches have been reported aside from tests
run by McAfee and Windows Sources.

   The security flaw allows the Symantec program to accept
commands from the out side. In theory, an outsider could alter
or destroy data or gather information from the computer.

   Symantec said users of Norton Utilities 2.0 for Windows will
be able to get the flaw fixed by clicking on the "live update"
button in the program. The program will search the Web for the
patch, download and install it.

   Windows Sources said Norton Utilities exposes a weakness in in
Microsoft's A ctive-X technology used in its browser. The
technology lets PC users download small software applications
from the Web onto their computers.

   While the flaw is known to occur only in combination with
Norton Utilities 2. 0 for Windows 95 and Internet Explorer,
"there could be other combinations of application and
Active-X-based browsers that are equally vulnerable," said
Windows Sources.

   Microsoft, however, said the Active-X technology is safe.

   "This was an honest mistake by Symantec, which they are
correcting," said Cornelius Willis, head of platform marketing
for Microsoft. "Active-X security still works."

   Symantec said it had no problem with McAfee's making the flaw
public. But it blasted its rival for not telling it directly.
Andrus said that when Symantec engineers find bugs in other
companies' software, it lets those companies know.


   "I think we were taken aback that they would go to the press,
create something akin to a virus and then basically show the
world how to do that," he said. "We found that rather slimy."

   But McAfee spokesman Mark Coker said the company believed it
was important to have a third party test and publicize the
problem as soon as possible. He called Symantec's accusation
"kind of a shock."

   "They are just trying to draw attention away from their
responsibility for the problem," he said.






 --
____Graham-John Bullers____www.Freenet.Edmonton.ab.ca/~real/index.html____
Lord grant me the serenity to accept the things I cannot change.The courage
to change the things I can.And the wisdom to hide the bodies of the people
I had to kill because they pissed me off.________alt.2600.moderated________

[end of message ... text also available at 
<url:http://www.reference.com/cgi-bin/pn/go?choice=message&table=04_1997&mid=1323625&hilit=FLAW+SECURITY> ]