Symantec Product Advisory: SYM07- 021

SYM07- 021: Symantec ActiveX Control Input Validation Error

An input validation error in two ActiveX controls used by Norton AntiVirus, Norton Internet Security, and Norton System Works could allow an attacker to execute code on the target system.

Affected Products
Norton Antivirus 2006
Norton Internet Security 2006
Norton System Works 2006
Norton Internet Security, Anti Spyware Edition 2005

Symantec response
Symantec engineers have confirmed that the vulnerability in the products listed in the Affected Products table above. Updates for affected products are available through LiveUpdate.

No versions of Symantec AntiVirus Corporate Edition or Symantec Client Security are affected by this vulnerability.

To successfully exploit this vulnerability, an attacker would need to entice the user to view a specially crafted HTML document. This type of attack is often achieved by sending email containing a link to the malicious site, and persuading the recipient to click on the link.

Symantec is not aware of any customers impacted by this issue, or of any attempts to exploit the issue.

More details at

Worldwide Malware Study Set for Launch

 A group of researchers has been given a $7.1 million grant by the European Union and corporate sponsors to correlate malware data and find out more about its sources around the globe.

The three-year project, called Worldwide Observatory of Malicious Behavior and Attack Tools (WOMBAT), will begin in January, the project’s leader announced here yesterday.

In a Black Hat presentation, Stefano Zanero, a researcher at the Italian university Politecno de Milano and founder/CTO of Secure Network, said the project’s funding was approved “three or four days ago. I wasn’t even sure that I was going to be able to talk about it here.”

The goal of the project is to correlate malware data from the many different researchers who collect it, and to try to spot trends that might indicate where it comes from and how it proliferates.

Websense to unveil "honeyjax" malware tools at Defcon

Just as honeypots have long been used to attract samples of the latest malware code floating around the Web, researchers with filtering specialist Websense plan to unveil a new set of tools dubbed honeyjax that promise to reach out across the Internet to seek out the latest social engineering attacks.

Meant to serve as a magnet for malware and scams leveled at so-called Web 2.0 applications and programming techniques, honeyjax instead uses active client software to seek out malware, phishing kits and other threats, said Dan Hubbard, vice president of security research at Websense.

Hubbard will detail the tools in a presentation at the Defcon hacker conference at the Riviera hotel in Las Vegas on Sunday.

Also tagged with the product name Threatseeker, the tools have been used by Websense over the last year to unearth malware and scams being carried out on sites that utilize user-driven content — such as MySpace — and applications built using emerging programming techniques such as AJAX, he said.

Anti-virus struggles on 64-bit Vista

Anti virus software for the 64-bit version of Windows Vista is struggling to properly protect the operating system, according to a new test by the Virus Bulletin security certification body.

Of the 20 anti-virus product tested, 35 per cent failed to meet the test’s criteria. Six of the failing grades were caused by so called false positives, legitimate files that are incorrectly flagged as malware.

Of the major vendors, McAfee Virusscan and Symantec Antivirus both passed the test, as did Microsoft’s Forefront, Redmond’s enterprise grade security suite that was released last May.

CA’s eTrust application failed the test. The software comes with improper default settings that instruct the software to ignore many file formats. It therefore failed to detect many malware applications. Users instead have to manually apply the proper settings.

Trend Micro submitted three products for testing, all of which mistook a Microsoft development tool for malware.

New Tool – BotHunter

Readers, SRI International and Georgia Tech have been working on a pretty cool new tool that will quickly locate bot traffic inside a network.  A government/military version of this software has been in use successfully for about a month, and a public version was made available this week.  [b]BotHunter[/b] introduces a new kind of passive network perimeter monitoring scheme, designed to recognize the intrusion and coordination dialog that occurs during a successful malware infection.  It employs a novel dialog-based correlation engine (patent pending), which recognizes the  communication patterns of malware-infected computers within your network perimeter.  BotHunter is available for download at and runs under Linux Fedora, SuSE, and Debian distributions.

AOL discontinues Active Virus Shield; Free McAfee’s VirusScan Plus is AOL’s new offer

A year ago AOL started offering Active Virus Shield, a free anti-virus package based on Kaspersky antivirus. The company has now stopped distributing this software. The Active Virus Shield web page now only shows the information: “We’re Sorry! AOL Active Virus Shield is no longer available.”

However, AOL has not abandoned its antivirus initiative, but merely switched suppliers. Their security page now offers a special edition of McAfee’s VirusScan Plus, free of charge. Users with a valid AOL user name can download the program from AOL; those without can register an account for free.