Aloha, Symantec Security. Two questions: 1) Does this ActiveX control bear a digital signature? If so, the problem it causes does not go away simply because there is a new version available from Symantec. An attacker in possession of the bad code with its attached digital signature can fool a victim whose computer does not currently have the vulnerable code installed into trusting the ActiveX control due to the fact that Symantec's digital signature will validate against the trusted root CA certificate present by default in Windows -- the existence of the digital signature on the bad code effectively transfers ownership of millions of other people's computers to anyone who should become interested in attacking those computers; it is extremely important that Symantec take further action above and beyond compiling a new version of the affected code because of the ongoing threat posed for the duration of the validity of the digital signature. 2) Symantec must have known in advance of this discovery and disclosure that ActiveX was inherently insecure and that the whole system of digital signatures and third-party PKI advanced by Microsoft was flawed beyond repair, yet Symantec chose to put the computing public at risk anyway -- how can Symantec claim that disclosure is a serious threat that should be discouraged while Symantec knowingly engages in business behavior that the security community knows to be unsafe? If Symantec's products were designed with security as the highest priority, they would be open source and they would avoid using any technique such as ActiveX controls and digitally signed code that has been proven to be impossible to manage securely. > premature disclosure can pose a serious threat to the internet. > Such disclosure should be discouraged. It is pointless to fret over the potential threat that disclosure might cause while we simultaneously ignore the provable threats that our misbehaviors do cause. Full disclosure is the only protection we have against ourselves and our own stupidity, and such disclosure should be encouraged. Sincerely, Jason Coombs jasonc@science.org -----Original Message----- From: Craig Ozancin [mailto:cozancin@symantec.com]On Behalf Of Sym Security Sent: Tuesday, June 24, 2003 7:09 AM To: bugtraq@securityfocus.com Subject: [Symantec Security Advisor] Symantec Security Check ActiveX Buffer Overflow Title: Symantec Security Check ActiveX Buffer Overflow Date: Monday, June 23, 2003 09:15:19 PM Threat: Moderate Impact: System Access Product: Symantec Security Check Situation Overview: Symantec Security Check is ... an ActiveX Control ... exploited when the user with this ActiveX Control visits ... Symantec has replaced the current ActiveX Control on the Symantec Security Check website so that new visitors will not be affected by the exploit. we are working with users who may have downloaded the exploited ActiveX Control to remove it from their systems. Although Symantec Security Check is available to both PC and Mac users, this issue only affects PCs. Symantec Vulnerability Response Process: Symantec is a strong supporter of responsible disclosure. It is our goal to establish a working relationship with researchers who discover vulnerabilities in Symantec products and to develop, test and make available updates prior to there being publicly disclosed. It is ours as well as much of the security communities belief that premature disclosure can pose a serious threat to the internet. Such disclosure should be discouraged. Symantec Security
