RE: [Symantec Security Advisor] Symantec Security Check ActiveX Buffer Overflow

["Jason Coombs" <jasonc () science org>]

Aloha, Symantec Security.

Two questions:

1) Does this ActiveX control bear a digital signature? If so, the problem it
causes does not go away simply because there is a new version available from
Symantec. An attacker in possession of the bad code with its attached digital
signature can fool a victim whose computer does not currently have the
vulnerable code installed into trusting the ActiveX control due to the fact
that Symantec's digital signature will validate against the trusted root CA
certificate present by default in Windows -- the existence of the digital
signature on the bad code effectively transfers ownership of millions of other
people's computers to anyone who should become interested in attacking those
computers; it is extremely important that Symantec take further action above
and beyond compiling a new version of the affected code because of the ongoing
threat posed for the duration of the validity of the digital signature.

2) Symantec must have known in advance of this discovery and disclosure that
ActiveX was inherently insecure and that the whole system of digital
signatures and third-party PKI advanced by Microsoft was flawed beyond repair,
yet Symantec chose to put the computing public at risk anyway -- how can
Symantec claim that disclosure is a serious threat that should be discouraged
while Symantec knowingly engages in business behavior that the security
community knows to be unsafe? If Symantec's products were designed with
security as the highest priority, they would be open source and they would
avoid using any technique such as ActiveX controls and digitally signed code
that has been proven to be impossible to manage securely.

> premature disclosure can pose a serious threat to the internet.
> Such disclosure should be discouraged.

It is pointless to fret over the potential threat that disclosure might cause
while we simultaneously ignore the provable threats that our misbehaviors do
cause. Full disclosure is the only protection we have against ourselves and
our own stupidity, and such disclosure should be encouraged.

Sincerely,

Jason Coombs
jasonc () science org

-----Original Message-----
From: Craig Ozancin [mailto:cozancin () symantec com]On Behalf Of Sym
Security
Sent: Tuesday, June 24, 2003 7:09 AM
To: bugtraq () securityfocus com
Subject: [Symantec Security Advisor] Symantec Security Check ActiveX
Buffer Overflow

Title:    Symantec Security Check ActiveX Buffer Overflow

Date:     Monday, June 23, 2003 09:15:19 PM
Threat:   Moderate
Impact:   System Access
Product:  Symantec Security Check

Situation Overview:
Symantec Security Check is ... an ActiveX Control ...
exploited when the user with this ActiveX Control visits ...

Symantec has replaced the current ActiveX Control on the Symantec
Security Check website so that new visitors will not be affected by
the exploit.

we are working with users who may have downloaded the exploited ActiveX
Control to remove it from their
systems. Although Symantec Security Check is available to both PC and
Mac users, this issue only affects PCs.

Symantec Vulnerability Response Process:
Symantec is a strong supporter of responsible disclosure. It is our
goal to establish a working relationship with researchers who
discover vulnerabilities in Symantec products and to develop, test
and make available updates prior to there being publicly disclosed.
It is ours as well as much of the security communities belief that
premature disclosure can pose a serious threat to the internet. Such
disclosure should be discouraged.

Symantec Security