Bug nel Symantec Security Check

Naviga SWZ: Home Page » News
News del 27 Giugno 03 Autore: Eymerich
Bug nel Symantec Security Check
Gli appassionati di net security conoscono da tempo il servizio Symantec Security Check : come altri siti specializzati permette di testare la sicurezza del proprio sistema. La notizia è che il servizio che avrebbe dovuto favorire la prevenzione ha invece esposto gli utenti a un clamoroso exploit : per eseguire il test infatti è necessario scaricare un controllo ActiveX che resta nel sistema anche dopo che la verifica è stata completata ; purtroppo però il componente rufsi.dll conteneva una vulnerabilità di tipo buffer overflow che,se sfruttata da un malintenzionato,poteva provocare il crash di IE da remoto e sinanche l'esecuzione di codice arbitrario sul computer vittima. Riportiamo integralmente e senza alcuna modifica il bollettino e le istruzioni per eliminare la dll incriminata ; è disponibile anche un removal tool ( - removal tool ! - ).June 25, 2003 Symantec Security Check ActiveX Buffer OverflowRiskModerateOverviewA vulnerability was discovered in a component of Symantec Security Check's online interface. The vulnerability is a buffer overflow in an ActiveX component. An exploit of this vulnerability can lead to unauthorized system access. Components AffectedSymantec Security Check rufsi.dll dated prior to June 23, 2003. DescriptionSymantec was made aware of Symantec Security Check's ActiveX buffer overflow vulnerability on Monday June 23, 2003 through a public posting on the Internet. Since hearing of the exploit Symantec has worked diligently to replace the ActiveX Control on Symantec Security Check. Through Symantec's customer support, we are working with users who may have downloaded the exploited ActiveX Control to remove it from their systems. Although Symantec Security Check is available to both PC and Mac users, this issue only affects PCs. Symantec Security Check is a free web-based tool that enables users to test their computer's exposure to a wide range of on-line threats. As part of running the check, users may install an ActiveX Control, which remains on the user's system even after the check has completed. The current ActiveX Control - which can be named Symantec RuFSI Utility Class or Symantec RuFSI Registry Information Class - contains a buffer overflow exploit. The buffer overflow can be exploited when the user with this ActiveX Control visits a malicious website intent on exploiting this vulnerability. The exploit can cause Internet Explorer to crash and/or the execution of arbitrary code on the user's computer.Symantec ResponseSymantec has replaced the current ActiveX Control on the Symantec Security Check website so that new visitors will not be affected by the exploit. Recent visitors to Symantec Security Check should revisit the site and run a new Security Scan. By running a new scan, the previous ActiveX Control will be replaced by an updated ActiveX Control that fixes the buffer overflow condition. Advanced users can attempt to delete the ActiveX Control by rebooting and then going into the system folder: %SystemRoot%Downloaded Program Files and delete "rufsi.dll". This must be done by using the command prompt and the user must not be on the Symantec Security Check site at the time. A removal tool has been developed and can be found here. Note: The proper contact for information and coordination regarding this issue or any security issues with Symantec products is through symsecurity@symantec.com. -------------------------------------------------------------------------------- Copyright (c) 2003 by Symantec Corp. Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from symsecurity@symantec.com. Disclaimer The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. Symantec, Symantec products, Symantec Security Response, and SymSecurity are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners. Last modified on: Wednesday, 25-Jun-03 17:55:34PS : Il dovere di cronaca impone tuttavia un ulteriore approfondimento : ho infatti scoperto che il bug potrebbe avere implicazioni (teoriche) che vanificherebbero l'eliminazione della dll ; invito quindi a leggere la discussione tra Jason Coombs e Chris Wysopal : le loro considerazioni sono a dir poco inquietanti.
7 - Commento/i sul Forum

Voto:

Categoria: Sicurezza

La Community di SWZone.it

La community con le risposte che cerchi ! Partecipa é gratis !
Iscrizione ForumIscriviti al Forum

Newsletter

Vuoi ricevere tutti gli aggiornamenti di SWZone direttamente via mail ?
Iscrizione NewsletterIscriviti alla Newsletter

NOTIZIE CORRELATE