Symantec 'security scan' distributes rootkit

[InfoSec News <isn () c4i org>]

http://www.theregister.co.uk/content/55/31752.html

By Thomas C Greene in Washington
Posted: 15/07/2003 

"Symantec Security Check is a free web-based tool that enables users
to test their computer's exposure to a wide range of on-line threats,"  
the press release begins. Unfortunately, Symantec Security Check has
also been installing an on-line threat of its own in the form of a
dangerous ActiveX control.

"The ActiveX control, named Symantec RuFSI Utility Class or Symantec
RuFSI Registry Information Class, contains a buffer overflow exploit,"  
the company says, though we're nearly certain they mean that it's
exploitable, not that it's actually been infected with something. But
you never know; the press release is one of those waffly ones that
doesn't quite tell you everything you want to hear.

The buffer overflow can be exploited by hip Webmasters, and victims
turning up at their sites risk having malicious code run on their
Windows boxes.

The easiest way to get rid of the dangerous ActiveX control that
security experts Symantec have planted on your machine is to visit the
Security Check Web page again, submit to the security check once more,
and allow them to install a much better one in its place, which they
are now prepared to do.

Or, if you've had enough of their security expertise for now, you can,
in Symantec's words, "attempt to remove" the relevant file thus:

Boot to a DOS prompt and delete the file rufsi.dll from the
%Windir%\Downloaded Program Files\ directory.

Choose your poison.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.