Re: Stack Overflow in Third-Party ActiveX Controls affects Multi
This advisory says that tgctlsi.dll and tgctlsr.dll are vulnerable, =20
however SupportSoft is only providing an update for tgctlsi.dll =20
(http://www.supportsoft.com/support/controls_update.asp). Does =20
tgctlsr.dll call into tgctlsi.dll where the true vulnerability =20
exists, did tgctlsr.dll turn out not to be vulnerable, or has =20
SupportSoft just not provided a fix for tgctlsr.dll?
Thanks
John
On Feb 23, 2007, at 9:01 PM, secure@symantec.com wrote:
> Symantec Security Advisory
>
> SYM07-002
> http://www.symantec.com/avcenter/security/Content/2007.02.22.html
>
> BID 22564
>
> 22 Feb, 2007
>
> Stack Overflow in Third-Party ActiveX Controls affects Multiple =20
> Vendor Products Including Some Symantec Consumer Products and =20
> Automated Support
> Assistant
>
> Revision History
> None
>
> Severity
> High (dependent on configuration and user interaction)
>
> BID22564
> http://www.symantec.com/avcenter/security/Content/2007.02.22.html
>
> Remote Access Yes
> Local Access No
> Authentication Required No
> Exploit publicly available No
> Overview
> Vulnerabilities were identified in third-party trouble-shooting =20
> ActiveX
> controls, developed by SupportSoft, www.supportsoft.com . Two of =20
> these controls were signed, shipped and installed with the =20
> identified versions of Symantec=92s consumer products and as part of =20=
> the Symantec Automated Support Assistant
> support tool. The vulnerability identified in the Symantec shipped =20
> controls could potentially result in a stack overflow requiring =20
> user interaction to exploit. If successfully exploited this =20
> vulnerability could potentially compromise a user=92s system possibly =20=
> allowing execution of arbitrary code or unauthorized access to system
> assets with the permissions of the user=92s browser.
>
> Supported Symantec Product(s) Affected
> Product Solution(s)
> Symantec Automated Support Assistant
> Update Available
> Symantec Norton AntiVirus 2006
> Update Available
> Symantec Norton Internet Security 2006
> Update Available
> Symantec Norton System Works 2006
> Update Available
>
> Symantec Products NOT Affected
> Product(s) Version
> Symantec 2007 Consumer Products All
> Symantec Norton 360
> Symantec Corporate and Enterprise Products All
>
> NOTE: Only Symantec Consumer products indicated as affected above =20
> shipped with these vulnerable components. The Symantec Automated =20
> Support Assistant is used by online consumer customer support when =20
> a consumer customer visits the support site requiring assistance.
> The Automated Support Assistant tool aids in providing the user =20
> with solution information to their problems. TheSupportSoft =20
> ActiveX controls were initially implemented mid-2005 on Symantec's =20
> consumer support site. During the timeframe up to
> August 2006, when the non-vulnerable controls were made available, =20
> vulnerable controls could potentially be installed by the Automated =20=
> Support Assistant on customer systems running Symantec
> consumer products and versions other than those listed above.
> See Symantec Response section to determine if your product has a =20
> vulnerable version of the Automated Support Assistant fix tool.
>
> Symantec Corporate and Enterprise products do not ship with these =20
> components and are NOT vulnerable to this issue.
>
> Details
> Symantec was initially alerted by Next Generation Security Software =20=
> (NGSS), to stack overflow and unauthorized access vulnerabilities =20
> identified in two SupportSoft ActiveX controls, SmartIssue =20
> tgctlsi.dll and ScriptRunner tgctlsr.dll, that Symantec signed and =20
> shipped with some of Symantec=92s 2006 consumer products and used by =20=
> the Symantec Automated Support Assistant support tool Symantec =20
> provides onits consumer support site.
> These SupportSoft ActiveX components did not properly validate =20
> external input. This failure could potentially lead to =20
> unauthorized access to system resources or the possible execution of
> malicious code with the privileges of the user=92s browser, resulting =20=
> in a potential compromise of the user=92s system.
> Any attempt to exploit these issues would require interactive user
> involvement. An attacker would need to be able to effectively =20
> entice a user to visit a malicious web site where their malicious =20
> code was hosted
> or to click on a malicious URL in any attempt to compromise the =20
> user=92s system. While these SupportSoft-developed components should =20=
> also
> have been effectively site-locked, which would havefurther reduced =20
> the severity, this capability was found to be improperly =20
> implemented in the vulnerable versions.
>
> Symantec Response
> Symantec worked closely with SupportSoft to ensure updates were =20
> quickly made available for the identified controls. SupportSoft =20
> has posted a
> Security Bulletin, http://www.supportsoft.com/support/=20
> controls_update.asp,
> for the controls Symantec uses and controls used in other products =20
> on their support site, www.supportsoft.com.
>
> Symantec immediately removed the vulnerable controls from its =20
> consumer support site. Symantec engineers tested the updates =20
> provided by
> SupportSoft extensively and once tested updated the Symantec =20
> Automated Support Assistant on Symantec's support site. =20
> Additionally, in November 2006, the vulnerable versions of these =20
> controls were disabled through LiveUpdate for Symantec consumer =20
> customers who regularly run interactive updates to their Symantec =20
> applications.
> Those Symantec consumer customers who rely solely on Automatic =20
> LiveUpdate would have received an automatic notification to =20
> initiate an
> interactive LiveUpdate session to obtain all pending updates. To =20
> ensure all updates have been properly retrieved and applied to =20
> Symantec
> consumer products, users should regularly run an interactive =20
> LiveUpdate session as follows:
> * Open any installed Symantec consumer product
> * Click on LiveUpdate in the GUI toolbar
> * Run LiveUpdate until all available Symantec product updates are =20
> downloaded and installed or you are advised that your system has =20
> the latest
> updates available.
> Symantec recommends customers always ensure they have the latest =20
> updates to protect against threats.
>
> Symantec customers who previously downloaded the Symantec Automated =20=
> Support Assistant tool beginning in July 2005 and those who have =20
> installed versions of the consumer products indicated above may =20
> also go to the Symantec
> support site, https://www-secure.symantec.com/techsupp/asa/=20
> install.jsp to ensure they have the updated version of the =20
> Automated Support Assistant fix tool. By
> downloading the updated version of the Symantec Automated Support =20
> Assistant fix tool, any existing legacy controls are updated with =20
> non-vulnerable
> versions.
> Customers, who have received support assistance since August 2006, =20
> will already have the latest non-vulnerable versions of these =20
> controls.
> Symantec has not seen any active attempts against or customer =20
> impact from these issues.
>
> Mitigation
> Symantec Security Response is releasing an AntiVirus Bloodhound =20
> definition
> Bloodhound.Exploit.119, a heuristic detection and prevention for =20
> attempts to exploit these vulnerable controls. Virus definitions =20
> containing this heuristic will be available through Symantec =20
> LiveUpdate or Symantec's Intelligent Updater.
> IDS signatures have also been released to detect and block attempts =20=
> to exploit this issue. Customers using Symantec Norton Internet =20
> Security or Norton Personal Firewall receive regular signature =20
> updates if they run LiveUpdate automatically. If not using the =20
> Automatic LiveUpdate function, Symantec recommends customers =20
> interactively run Symantec LiveUpdate frequently to ensure they =20
> have the most current protection available.
> Establishing more secure Internet zone settings for the local user =20
> can prohibit activation of ActiveX controls without the user=92s =20
> consent.
> An attacker who successfully exploited this vulnerability could =20
> gain the user rights of the local user. Users whose accounts are =20
> configured to have fewer user rights on the system would be less =20
> impacted than users who operate with administrative privileges.
>
> As always, if previously unknown malicious code were attempted to =20
> be distributed in this manner, Symantec Security Response would =20
> react quickly
> to updated definitions via LiveUpdate to detect and deter any new =20
> threat(s).
>
> Best Practices
> As part of normal best practices, Symantec strongly recommends a =20
> multi-layered approach to security:
> * Run under the principle of least privilege where possible.
> * Keep all operating systems and applications updated with the =20
> latest vendor patches.
> * Users, at a minimum, should run both a personal firewall and =20
> antivirus application with current updates to provide multiple =20
> points of detection
> and protection to both inbound and outbound threats.
> * Users should be cautious of mysterious attachments and =20
> executables delivered via email and be cautious of browsing unknown/=20=
> untrusted websites or clicking on unknown/untrusted URL links.
> * Do not open unidentified attachments or executables from unknown =20
> sources or that you didn't request or were unaware of.
> * Always err on the side of caution. Even if the sender is known, =20
> the source address may be spoofed.
> * If in doubt, contact the sender to confirm they sent it and why =20
> before opening the attachment. If still in doubt, delete the =20
> attachment without
> opening it.
>
> CVE
> A CVE Candidate CVE-2006-6490 has been assigned. This issue is a =20
> candidate for inclusion in the CVE list (http://cve.mitre.org), =20
> which standardizes
> names for security problems.
>
> Credit:
> Symantec has coordinated very closely with SupportSoft to help =20
> ensure that all additional affected vendor customer bases has been =20
> provide with information concerning affected controls and updates =20
> to address the vulnerability.
> Symantec wants to thank Mark Litchfield of NGS Software Ltd. for =20
> the initial identification and notification of this issue and for the
> excellent, in-depth coordination with both Symantec and SupportSoft =20=
> while resolving the issue.
> Additionally, this issue was independently identified by the =20
> analysts at CERT,
> in CERT Vulnerability Note VU#441785, who reported their findings =20
> to and worked closely with both Symantec and SupportSoft through to =20=
> resolution
> and by Peter Vreugdenhil, working through iDefense who coordinated =20
> with Symantec as we resolved the issue.
>
> Symantec takes the security and proper functionality of its =20
> products very seriously. As founding members of the Organization =20
> for Internet Safety (OISafety), Symantec follows the principles of =20
> responsible disclosure.
> Symantec also subscribes to the vulnerability guidelines outlined =20
> by the National Infrastructure Advisory Council (NIAC). Please contact
> secure@symantec.com if you feel you have discovered a potential or =20
> actual security issue with a Symantec product. A Symantec Product
> Security team member will contact you regarding your submission.
>
> Symantec has developed a Product Vulnerability Handling Process =20
> document outlining the process we follow in addressing suspected =20
> vulnerabilities in
> our products.
> We support responsible disclosure of all vulnerability information =20
> in a timely manner to protect Symantec customers and the security =20
> of the
> Internet as a result of vulnerability. This document is available from
> http://www.symantec.com/security/
>
> Symantec strongly recommends using encrypted email for reporting =20
> vulnerability information to secure@symantec.com. The Symantec Product
> Security PGP key can be obtained from the location provided above.