Today on PC Magazine’s Security Watch:
Two vulnerabilities in Norton Internet Security 2008 have been patched by the vendor. The vulnerabilities were reported by VeriSign’s iDefense (here and here).
The vulnerabilities are in an ActiveX control installed by NIS 2008 which is marked safe for scripting. The vulnerability could allow for remote code execution by an unauthenticated user; on the other hand. The bug is, nevertheless, difficult to exploit, and no public exploit exists.
According to iDefense, it would need to be executed in the context of the symantec.com domain. This could be accomplished through cross-site scripting on the symantec.com site—which would require incompetence on the part of that site’s administrators and authors—or through DNS cache poisoning attacks against the user. Both are probably hard to do.
Yes, of course… (Notice: Symantec XSS vulnerability fixed later, on April the 10th)
BTW, isn’t that a Google Search Appliance?
Despite Symantec’s search functionality being provided by Google Search Appliance, the XSS vulnerability above seems a genuine home-grown customization.
This is quite hilarious (from Brian Krebs’s Security Fix column on Washington Post):
Despite the fact that most of these Web site security flaws are posted to a publicly accessible archive site, only 473 of the cases discovered in the last half of 2007 were fixed by the end of last year, Symantec said.
Update 3 (10 Apr)
Symantec guys finally fixed their XSS vulnerability.