Re: RE: [Symantec Security Advisor] Symantec Security Check ActiveX Buffer Overflow

[Cesar <cesarc56 () yahoo com>]

> From Symantect Security check FAQ:

http://security.symantec.com/sscv6/help.asp?langid=ie&venid=sym&plfid=22&pkj=PIHTBMRSJRFSKLUKUMX

4. Aren't ActiveX controls dangerous and inherently
unsafe? 
Yes and No. ActiveX controls are only as safe as the
company that created them. If a control has a digital
signature, it means that the control has not been
tampered with and is guaranteed to be exactly the same
as when the software publisher created it. The ActiveX
controls we use are digitally signed by Symantec
Corporation. When you see the Security Warning dialog
box, check for the statement "Publisher authenticity
verified by VeriSign". This statement guarantees that
the control has not been tampered with since being
signed by Symantec.
 

Can Symantec define what is safe?

Cesar.
 
--- Jason Coombs <jasonc () science org> wrote:
> Aloha, Symantec Security.
>
> Two questions:
>
> 1) Does this ActiveX control bear a digital
> signature? If so, the problem it
> causes does not go away simply because there is a
> new version available from
> Symantec. An attacker in possession of the bad code
> with its attached digital
> signature can fool a victim whose computer does not
> currently have the
> vulnerable code installed into trusting the ActiveX
> control due to the fact
> that Symantec's digital signature will validate
> against the trusted root CA
> certificate present by default in Windows -- the
> existence of the digital
> signature on the bad code effectively transfers
> ownership of millions of other
> people's computers to anyone who should become
> interested in attacking those
> computers; it is extremely important that Symantec
> take further action above
> and beyond compiling a new version of the affected
> code because of the ongoing
> threat posed for the duration of the validity of the
> digital signature.
>
> 2) Symantec must have known in advance of this
> discovery and disclosure that
> ActiveX was inherently insecure and that the whole
> system of digital
> signatures and third-party PKI advanced by Microsoft
> was flawed beyond repair,
> yet Symantec chose to put the computing public at
> risk anyway -- how can
> Symantec claim that disclosure is a serious threat
> that should be discouraged
> while Symantec knowingly engages in business
> behavior that the security
> community knows to be unsafe? If Symantec's products
> were designed with
> security as the highest priority, they would be open
> source and they would
> avoid using any technique such as ActiveX controls
> and digitally signed code
> that has been proven to be impossible to manage
> securely.
>
> > premature disclosure can pose a serious threat to
> the internet.
> > Such disclosure should be discouraged.
>
> It is pointless to fret over the potential threat
> that disclosure might cause
> while we simultaneously ignore the provable threats
> that our misbehaviors do
> cause. Full disclosure is the only protection we
> have against ourselves and
> our own stupidity, and such disclosure should be
> encouraged.
>
> Sincerely,
>
> Jason Coombs
> jasonc () science org
>
> -----Original Message-----
> From: Craig Ozancin [mailto:cozancin () symantec com]On
> Behalf Of Sym
> Security
> Sent: Tuesday, June 24, 2003 7:09 AM
> To: bugtraq () securityfocus com
> Subject: [Symantec Security Advisor] Symantec
> Security Check ActiveX
> Buffer Overflow
>
> Title:    Symantec Security Check ActiveX Buffer
> Overflow
>
> Date:     Monday, June 23, 2003 09:15:19 PM
> Threat:   Moderate
> Impact:   System Access
> Product:  Symantec Security Check
>
> Situation Overview:
> Symantec Security Check is ... an ActiveX Control
> ...
> exploited when the user with this ActiveX Control
> visits ...
>
> Symantec has replaced the current ActiveX Control on
> the Symantec
> Security Check website so that new visitors will not
> be affected by
> the exploit.
>
> we are working with users who may have downloaded
> the exploited ActiveX
> Control to remove it from their
> systems. Although Symantec Security Check is
> available to both PC and
> Mac users, this issue only affects PCs.
>
> Symantec Vulnerability Response Process:
> Symantec is a strong supporter of responsible
> disclosure. It is our
> goal to establish a working relationship with
> researchers who
> discover vulnerabilities in Symantec products and to
> develop, test
> and make available updates prior to there being
> publicly disclosed.
> It is ours as well as much of the security
> communities belief that
> premature disclosure can pose a serious threat to
> the internet. Such
> disclosure should be discouraged.
>
> Symantec Security
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
http://lists.netsys.com/full-disclosure-charter.html


__________________________________
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html