Symantec Norton SystemWorks NProtect directory is hidden from Windows APIs

systemworks-nprotect-hidden (24061) The risk level is classified as LowLow Risk

Description:

The Norton Protected Recycle Bin feature in Symantec Norton SystemWorks and SystemWorks Premier 2005 and 2006 have a security weakness that could allow a local attacker to bypass virus protection. The Norton Protected Recycle Bin NProtect directory is hidden from the Windows FindFirst and FindNext APIs. This could allow a local attacker to place malicious files on the system that may not be checked by virus scanning software.

Platforms Affected:

  • Microsoft, Windows 2000 Professional
  • Symantec, Norton System Works 2005
  • Symantec, Norton System Works 2005 Premier
  • Symantec, Norton System Works 2006 Premier
  • Symantec, Norton System Works 2006

Remedy:

Patches for this vulnerability are available through Symantec LiveUpdate.

Consequences:

Bypass Security

References:

  • Symantec Security Response SYM06-002, Symantec Norton Protected Recycle Bin Exposure at http://securityresponse.symantec.com/avcenter/security/Content/2006.01.10.html.
  • CVE-2006-0166: Symantec Norton SystemWorks and SystemWorks Premier 2005 and 2006 stores temporary copies of files in the Norton Protected Recycle Bin NProtect directory, which is hidden from the FindFirst and FindNext Windows APIs and allows remote attackers to hide arbitrary files from virus scanners and other products.
  • SA18402: Symantec Norton SystemWorks Protected Recycle Bin Weakness
  • SECTRACK ID: 1015462: Symantec Norton SystemWorks Hidden Directory Obscures Files from Anti-Virus Scanners
  • VUPEN/ADV-2006-0143: Symantec Norton Protected Recycle Bin Security Bypass Vulnerability

Reported:

Jan 10, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page