Symantec Log Viewer JavaScript Injection Vulnerabilities
1174
06 March 2020
28 April 2009
CLOSED
MEDIUM
4.3
SUMMARY
The Log Viewer feature in some Symantec products contains two parsing errors which could be exploited through Java script injection.
AFFECTED PRODUCTS
Product |
Version |
Solution |
Norton 360 |
1.0 |
Run LiveUpdate in Interactive Mode |
Norton Internet Security |
2005 through 2008 |
Run LiveUpdate in Interactive Mode |
Symantec AntiVirus Corporate Edition |
9.0 MR6 and earlier |
Update to MR7 |
Symantec AntiVirus Corporate Edition |
10.1 MR7 and earlier |
Update to MR8 |
Symantec AntiVirus Corporate Edition |
10.2 MR1 and earlier |
Update to MR2 |
Symantec Endpoint Protection |
11.0 |
Update to MR1 or later |
Symantec Client Security |
2.0 MR6 and earlier |
Update to 2.0 MR7 |
Symantec Client Security |
3.1 MR7 and earlier |
Update to MR8 |
ADDITIONAL PRODUCT INFORMATION
Unaffected Products
Product |
Version |
Norton 360 |
2.0 and later |
Norton Internet Security |
2009 and later |
ISSUES
Risk Impact
Low
Remote Access |
No |
Local Access |
Yes |
Authentication Required |
Yes |
Exploit available |
No |
MITIGATION
Details
Next Generation Software notified Symantec that the Symantec Log Viewer (ccLgView.exe) feature used in some Symantec Norton products could be exploited through Javascript injection. Two parsing errors could potentially allow specially crafted email messages to pass a malicious script to the Symantec event log. Symantec Norton products could be exploited by using the View Logs - Email Filtering' option from the Statistics option of the Symantec Log Viewer.
Symantec corporate products do not have this View Logs – Email Filtering option but do install the ccLgView.exe file. Additionally, email information is not stored in the log files viewed using the Symantec Log Viewer in Symantec corporate products.
Symantec Response
Symantec verified that the vulnerabilities exist in the products listed in the Affected Products table above. Updates are available for all impacted products.
This vulnerability can be exploited only if the user views the Email filtering Log when it contains a malicious message.
Symantec is not aware of any customers impacted by these issues, or of any attempts to exploit them.
Although SAV, SCS and SEP do not the expose the ‘View Logs - Email Filtering' option the files are installed on the client system. Symantec recommends that customers update affected versions to avoid potential attempts to exploit these issues.
Updating Norton products
Symantec Norton product users who launch and run LiveUpdate regularly should already have received an update to address this issue. However, to ensure all available updates have been applied, users can manually launch and run LiveUpdate in Interactive mode as follows:
- Open any installed Norton product
- Click LiveUpdate
- Run LiveUpdate until all available product updates are downloaded and installed
Best Practices
As a part of normal best practices, users should keep vendor-supplied patches for all software and operating systems up-to-date. Symantec recommends any affected customers update their product immediately to protect against potential attempts to exploit this vulnerability.
Additional best practices include:
- Run under the principle of least privilege where possible. Information on creating a limited user account is available on the Microsoft web site.
- Run both a personal firewall and antivirus application with current updates to provide multiple points of detection.
- Be cautious of unsolicited attachments and executables delivered via email or via instant messaging.
- Do not open email from unknown sources.
- Do not follow links provided by unknown or untrusted sources.
- Email addresses can easily be spoofed so a message appears to come from someone you know. If a message seems suspicious, contact the sender before opening attachments or following web links.
ACKNOWLEDGEMENTS
Symantec thanks Mark Litchfield from Next Generation Security Software (http://www.ngssoftware.com/) for reporting this issue, and coordinating with us on the response.
REFERENCES
This issue is a candidate for inclusion in the Common Vulnerabilities and Exposures (CVE) list (http://cve.mitre.org), which standardizes names for security problems. The CVE initiative has assigned Use CVE-2009-1428 to this issue
SecurityFocus, http://www.securityfocus.com, has assigned BID 34669 to this issue
REVISION
Updated Affected Product information to clarify affected products