Symantec Log Viewer JavaScript Injection Vulnerabilities

1174

06 March 2020

28 April 2009

CLOSED

MEDIUM

4.3

SUMMARY

 

The Log Viewer feature in some Symantec products contains two parsing errors which could be exploited through Java script injection.

AFFECTED PRODUCTS

 

Product

Version

Solution

Norton 360

1.0

Run LiveUpdate in Interactive Mode

Norton Internet Security

2005 through 2008

Run LiveUpdate in Interactive Mode

Symantec AntiVirus Corporate Edition

9.0 MR6 and earlier

Update to MR7

Symantec AntiVirus Corporate Edition

10.1 MR7 and earlier

Update to MR8

Symantec AntiVirus Corporate Edition

10.2 MR1 and earlier

Update to MR2

Symantec Endpoint Protection

11.0

Update to MR1 or later

Symantec Client Security

2.0 MR6 and earlier

Update to 2.0 MR7

Symantec Client Security

3.1 MR7 and earlier

Update to MR8

ADDITIONAL PRODUCT INFORMATION

 

Unaffected Products

Product

Version

Norton 360

2.0 and later

Norton Internet Security

2009 and later

ISSUES

 

Risk Impact

Low

Remote Access

No

Local Access

Yes

Authentication Required

Yes

Exploit available

No

MITIGATION

 

Details

Next Generation Software notified Symantec that the Symantec Log Viewer (ccLgView.exe) feature used in some Symantec Norton products could be exploited through Javascript injection. Two parsing errors could potentially allow specially crafted email messages to pass a malicious script to the Symantec event log. Symantec Norton products could be exploited by using the View Logs - Email Filtering' option from the Statistics option of the Symantec Log Viewer. 

Symantec corporate products do not have this View Logs – Email Filtering option but do install the ccLgView.exe file. Additionally, email information is not stored in the log files viewed using the Symantec Log Viewer in Symantec corporate products.

 

Symantec Response

Symantec verified that the vulnerabilities exist in the products listed in the Affected Products table above. Updates are available for all impacted products. 

This vulnerability can be exploited only if the user views the Email filtering Log when it contains a malicious message. 

Symantec is not aware of any customers impacted by these issues, or of any attempts to exploit them. 

Although SAV, SCS and SEP do not the expose the ‘View Logs - Email Filtering' option the files are installed on the client system. Symantec recommends that customers update affected versions to avoid potential attempts to exploit these issues.

 

Updating Norton products

Symantec Norton product users who launch and run LiveUpdate regularly should already have received an update to address this issue. However, to ensure all available updates have been applied, users can manually launch and run LiveUpdate in Interactive mode as follows: 

  • Open any installed Norton product
  • Click LiveUpdate
  • Run LiveUpdate until all available product updates are downloaded and installed

 

Best Practices

As a part of normal best practices, users should keep vendor-supplied patches for all software and operating systems up-to-date. Symantec recommends any affected customers update their product immediately to protect against potential attempts to exploit this vulnerability. 

Additional best practices include: 

  • Run under the principle of least privilege where possible. Information on creating a limited user account is available on the Microsoft web site.
  • Run both a personal firewall and antivirus application with current updates to provide multiple points of detection.
  • Be cautious of unsolicited attachments and executables delivered via email or via instant messaging.
  • Do not open email from unknown sources.
  • Do not follow links provided by unknown or untrusted sources.
  • Email addresses can easily be spoofed so a message appears to come from someone you know. If a message seems suspicious, contact the sender before opening attachments or following web links.

ACKNOWLEDGEMENTS

 

Symantec thanks Mark Litchfield from Next Generation Security Software (http://www.ngssoftware.com/) for reporting this issue, and coordinating with us on the response.

REFERENCES

 

This issue is a candidate for inclusion in the Common Vulnerabilities and Exposures (CVE) list (http://cve.mitre.org), which standardizes names for security problems. The CVE initiative has assigned Use CVE-2009-1428 to this issue 

SecurityFocus, http://www.securityfocus.com, has assigned BID 34669 to this issue

REVISION

 

Updated Affected Product information to clarify affected products