Symantec security product contains flaw

The company says users of its online Security Check service have likely downloaded a flawed ActiveX control that could be used by an intruder as a path into the victim's PC.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
2 min read
Security-software maker Symantec warned customers Tuesday that users of its online Security Check service have likely downloaded a flawed ActiveX control that could be used by an intruder as a path into the victim's PC.

Security Check is meant to help people lock down their systems and loads an ActiveX script that aids in scanning a person's computer. Ironically, the ActiveX script, which remains on the computer even after scanning, contains a memory flaw that could be used by an attacker to break into the PC.

Symantec has replaced the ActiveX component--which uses the name Symantec RuFSI Utility Class or Symantec RuFSI Registry Information Class--uploaded by the site with a new one that overwrites the old software and solves the problem.

"Recent visitors to Symantec Security Check should revisit the site and run a new security scan," the company stated in its advisory.

ActiveX is a Microsoft technology for running small programs, or scripts, using a special language understood by Internet Explorer. The technology has been a source of some major flaws for the Windows platform. The components are stored in the registry portion of the operating system.

The advisory appeared two days after an independent security researcher revealed the flaw on the Full Disclosure security list.

"This is really funny," wrote the discoverer, Cesar Cerrudo. "Symantec tries to protect users and they introduce dangerous ActiveX controls in user's computers" instead.

Cerrudo said he neither tried to contact Symantec about the warning nor gave them 30 days, a standard grace period, to fix the flaw. "I forgot about the 30-day grace period...also I forgot to report it," he wrote in his own advisory, tacking a smiley emoticon to the end.

Symantec wasn't pleased by the lack of a warning.

"It is ours as well as much of the security community's belief that premature disclosure can pose a serious threat to the Internet," the company wrote. "Such disclosure should be discouraged."

The company plans to release a clean-up tool to delete the ActiveX component from computers whose owners don't want to go back to the Security Check site.

Symantec's problems might not be over.

Another security researcher noted that the ActiveX control could cause issues for people who haven't even used the Security Check site. Chris Wysopal, director of research and development for security company @Stake, believes that an online vandal could copy the control from a PC that hasn't been updated with the patched software.

"They could put it on their Web site," Wysopal said. "When a person tries to go to the Web site, they will download the control."

However, the threat is lessened by the fact that a dialog box should pop up under the default Internet Explorer settings, asking if the user wants to download the ActiveX component, Wysopal said. The dialog box will state that the control is signed by Symantec, however.

"A box will pop up that says, 'Do you want to download this control signed by Symantec?' Many people will," Wysopal said.