In-Reply-To: <416F7ABB.8070502@xxxxxxxxxxxxxxxxx> Symantec is aware of this posting. Symantec engineers are reviewing this issue. If it is validated we will respond accordingly. Symantec takes the security of our products seriously. We are a responsible disclosure organization. We would like to work directly with anyone who believes they have found a security issue in a Symantec product to validate the problem and coordinate a response. Please contact secure@xxxxxxxxxxxx concerning security issues with Symantec products. Symantec Product Security secure@xxxxxxxxxxxx -----------------snip------- >Date: Fri, 15 Oct 2004 03:22:35 -0400 >From: Daniel Milisic <dmilisic@xxxxxxxxxxxxxxxxx> >User-Agent: Mozilla Thunderbird 0.8 (Windows/20040913) >X-Accept-Language: en-us, en >MIME-Version: 1.0 >To: full-disclosure@xxxxxxxxxxxxxxxx >Cc: bugtraq@xxxxxxxxxxxxxxxxx >Subject: Norton AntiVirus 2004 Script Blocking Failure (Includes PoC and rant) >Content-Type: text/plain; charset=ISO-8859-1; format=flowed >Content-Transfer-Encoding: 7bit > >Hi All, > >For the last couple of week's I've been hands-and-face into a project >that is based heavily on .HTA apps. Basically, the VBScript embedded in >the HTA handles the front-end for some basic console-driven tools. It >was also designed to be very simple as to work equally well under >95+IE5.5 to Win2003. Worked really nice... HOWEVER during the testing >phase on various platforms, I discovered my .HTA grinds to a halt on >machines running Norton AntiVirus 2004, thanks to the "Script Blocking" >feature. A prompt or alert from the damn AV software was NOT something >I wanted my users to deal with. So, I downloaded the TrialWare version >from Symantec to take a poke at whether or not I could work around it. > >Here's how that went... > >One 25MB Download and I was all set to start testing! But wait, I >should LiveUpdate... >LiveUpdate, 4MB -- REBOOT #1 (*mandatory* restart) >LiveUpdate, 3MB -- REBOOT #2 (Prompt to restart with an option to continue) >LiveUpdate, 1MB -- REBOOT #3 (Right now I am thinking oh you have got to >be <bleep>ing kidding me, THREE REBOOTS to get up-to-date AV installed!) > >Grisoft's AVG6, for comparison sake, is about 7MB in total I believe, >and requires a single reboot. It doesn't have Script Blocking, but if >you're thoughtless enough to click on a .vbs e-mail attachment you >pretty much deserve what's coming to you ;) > >Once out of reboot hell, I fired up the NAV2004 console, an annoyingly >tacky HTA-ish type front-end with more bling-bling than functionality. >Over the last few years I've grown to really dislike NAV for this, and >not just because of the aesthetics. On more than one occasion I'd see a >virus or spyware infected PC with NAV on it (user error not NAV's >fault); with the NAV console just a smoldering pile of script errors >after the malicious program hosed IE's rendering engine. The NAV ---------------snip------------------------
