[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Norton AntiVirus 2004 Script Blocking Failure (Includes PoC and rant)

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Norton AntiVirus 2004 Script Blocking Failure (Includes PoC and rant)
From: <secure@xxxxxxxxxxxx>
Date: 18 Oct 2004 17:24:44 -0000

In-Reply-To: <416F7ABB.8070502@xxxxxxxxxxxxxxxxx>

Symantec is aware of this posting. Symantec engineers are reviewing this issue. 
 If it is validated we will respond accordingly.  

Symantec takes the security of our products seriously.  We are a responsible 
disclosure organization.  We would like to work directly with anyone who 
believes they have found a security issue in a Symantec product to validate the 
problem and coordinate a response.  

Please contact secure@xxxxxxxxxxxx concerning security issues with Symantec 
products.

Symantec Product Security
secure@xxxxxxxxxxxx

-----------------snip-------
>Date: Fri, 15 Oct 2004 03:22:35 -0400
>From: Daniel Milisic <dmilisic@xxxxxxxxxxxxxxxxx>
>User-Agent: Mozilla Thunderbird 0.8 (Windows/20040913)
>X-Accept-Language: en-us, en
>MIME-Version: 1.0
>To: full-disclosure@xxxxxxxxxxxxxxxx
>Cc: bugtraq@xxxxxxxxxxxxxxxxx
>Subject: Norton AntiVirus 2004 Script Blocking Failure (Includes PoC and rant)
>Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>Content-Transfer-Encoding: 7bit
>
>Hi All,
>
>For the last couple of week's I've been hands-and-face into a project 
>that is based heavily on .HTA apps.  Basically, the VBScript embedded in 
>the HTA handles the front-end for some basic console-driven tools.  It 
>was also designed to be very simple as to work equally well under 
>95+IE5.5 to Win2003.  Worked really nice... HOWEVER during the testing 
>phase on various platforms, I discovered my .HTA grinds to a halt on 
>machines running Norton AntiVirus 2004, thanks to the "Script Blocking" 
>feature.  A prompt or alert from the damn AV software was NOT something 
>I wanted my users to deal with.  So, I downloaded the TrialWare version 
>from Symantec to take a poke at whether or not I could work around it.
>
>Here's how that went...
>
>One 25MB Download and I was all set to start testing!  But wait, I 
>should LiveUpdate...
>LiveUpdate, 4MB -- REBOOT #1 (*mandatory* restart)
>LiveUpdate, 3MB -- REBOOT #2 (Prompt to restart with an option to continue)
>LiveUpdate, 1MB -- REBOOT #3 (Right now I am thinking oh you have got to 
>be <bleep>ing kidding me, THREE REBOOTS to get up-to-date AV installed!)
>
>Grisoft's AVG6, for comparison sake, is about 7MB in total I believe, 
>and requires a single reboot.  It doesn't have Script Blocking, but if 
>you're thoughtless enough to click on a .vbs e-mail attachment you 
>pretty much deserve what's coming to you ;)
>
>Once out of reboot hell, I fired up the NAV2004 console, an annoyingly 
>tacky HTA-ish type front-end with more bling-bling than functionality.  
>Over the last few years I've grown to really dislike NAV for this, and 
>not just because of the aesthetics.  On more than one occasion I'd see a 
>virus or spyware infected PC with NAV on it (user error not NAV's 
>fault); with the NAV console just a smoldering pile of script errors 
>after the malicious program hosed IE's rendering engine.  The NAV 
---------------snip------------------------

Prev by Date: Re: EEYE: Windows VDM #UD Local Privilege Escalation
Next by Date: [SECURITY] [DSA 569-1] New netkit-telnet-ssl packages fix denial of service
Previous by thread: iDEFENSE Security Advisory 10.18.04: Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability
Next by thread: Re: Norton AntiVirus 2004 Script Blocking Failure (Includes PoC and rant)
Index(es):
- Date
- Thread