Symantec Security Check ActiveX Control buffer overflow
| symantec-security-activex-bo (12423) |  High Risk |
Description:
Symantec Security Check is a freely available online security scan and virus detection tool. The Symantec ActiveX Control that was available prior to June 23, 2003 09:15:19 PM, which may be installed in order to run the security check, is vulnerable to a buffer overflow. By creating a malicious Web page, a remote attacker can overflow a buffer and execute arbitrary code on the system or cause Internet Explorer to crash, once the victim with the vulnerable ActiveX Control installed visits the Web page.
Note: A system with the new ActiveX Control could still be vulnerable, if a remote attacker has obtained the code of the vulnerable ActiveX Control with its attached digital signature the attacker can trick a user, whose computer does not currently have the vulnerable ActiveX Control installed, into trusting the ActiveX control because Symantec's digital signature will validate against the default CA certificate in Windows. The new ActiveX Control should be given a new CLSID Key and the kill bit should be set for the vulnerable ActiveX Control's CLSID Key. See BugTraq Mailing List, Tue Jun 24 2003 - 16:59:57 CDT for more information.
Consequences:
Gain Access
Remedy:
As a workaround, run a new Security Scan, which will replace the vulnerable ActiveX Control with an updated ActiveX Control that fixes this vulnerability. See the Symantec Security Advisory dated Monday, June 23, 2003 09:15:19 PM for more information.
—OR—
As a workaround, delete the vulnerable ActiveX Control by rebooting and then going into the system folder: %SystemRoot%\Downloaded Program Files\ and delete the rufsi.dll file. This must be done by using the command prompt and the user must not be on the Symantec Security Check Web site at the time this procedure is being done. See the Symantec Security Advisory dated Monday, June 23, 2003 09:15:19 PM for more information.
References:
- BugTraq Mailing List, Tue Jun 24 2003 - 16:59:57 CDT: RE: [Symantec Security Advisor] Symantec Security Check ActiveX Buffer Overflow.
- Symantec Security Advisory Monday, June 23, 2003 09:15:19 PM: Symantec Security Check ActiveX Buffer Overflow.
- BID-8008: Symantec Security Check RuFSI ActiveX Control Buffer Overflow Vulnerability
- CVE-2003-0470: Buffer overflow in the RuFSI Utility Class ActiveX control (aka RuFSI Registry Information Class), as used for the Symantec Security Check service, allows remote attackers to execute arbitrary code via a long argument to CompareVersionStrings.
- SA9091: Symantec Security Check ActiveX Remotely Exploitable Buffer Overflow
- SECTRACK ID: 1007029: Symantec Security Check ActiveX Control Buffer Overflow Lets Remote Users Execute Arbitrary Code
- US-CERT VU#527228: Symantec ActiveX control vulnerable to buffer overflow
Platforms Affected:
- Symantec RuFSI Utility Class ActiveX Control
Reported:
Jun 24, 2003
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net