SUMMARY

The Log Viewer feature in some Symantec products contains two parsing errors which could be exploited through Java script injection.

AFFECTED PRODUCTS

ADDITIONAL PRODUCT INFORMATION

Unaffected Products

ISSUES

Risk Impact

Low

MITIGATION

Details

Next Generation Software notified Symantec that the Symantec Log Viewer (ccLgView.exe) feature used in some Symantec Norton products could be exploited through Javascript injection. Two parsing errors could potentially allow specially crafted email messages to pass a malicious script to the Symantec event log. Symantec Norton products could be exploited by using the View Logs - Email Filtering' option from the Statistics option of the Symantec Log Viewer. 

Symantec corporate products do not have this View Logs – Email Filtering option but do install the ccLgView.exe file. Additionally, email information is not stored in the log files viewed using the Symantec Log Viewer in Symantec corporate products.

Symantec Response

Symantec verified that the vulnerabilities exist in the products listed in the Affected Products table above. Updates are available for all impacted products. 

This vulnerability can be exploited only if the user views the Email filtering Log when it contains a malicious message. 

Symantec is not aware of any customers impacted by these issues, or of any attempts to exploit them. 

Although SAV, SCS and SEP do not the expose the ‘View Logs - Email Filtering' option the files are installed on the client system. Symantec recommends that customers update affected versions to avoid potential attempts to exploit these issues.

Updating Norton products

Symantec Norton product users who launch and run LiveUpdate regularly should already have received an update to address this issue. However, to ensure all available updates have been applied, users can manually launch and run LiveUpdate in Interactive mode as follows: 

• Open any installed Norton product
• Click LiveUpdate
• Run LiveUpdate until all available product updates are downloaded and installed

Best Practices

As a part of normal best practices, users should keep vendor-supplied patches for all software and operating systems up-to-date. Symantec recommends any affected customers update their product immediately to protect against potential attempts to exploit this vulnerability. 

Additional best practices include: 

• Run under the principle of least privilege where possible. Information on creating a limited user account is available on the Microsoft web site.
• Run both a personal firewall and antivirus application with current updates to provide multiple points of detection.
• Be cautious of unsolicited attachments and executables delivered via email or via instant messaging.
• Do not open email from unknown sources.
• Do not follow links provided by unknown or untrusted sources.
• Email addresses can easily be spoofed so a message appears to come from someone you know. If a message seems suspicious, contact the sender before opening attachments or following web links.

ACKNOWLEDGEMENTS

Symantec thanks Mark Litchfield from Next Generation Security Software (http://www.ngssoftware.com/) for reporting this issue, and coordinating with us on the response.

REFERENCES

This issue is a candidate for inclusion in the Common Vulnerabilities and Exposures (CVE) list (http://cve.mitre.org), which standardizes names for security problems. The CVE initiative has assigned Use CVE-2009-1428 to this issue 

SecurityFocus, http://www.securityfocus.com, has assigned BID 34669 to this issue

REVISION

Updated Affected Product information to clarify affected products