Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
SecuriTeam™  Beyond Security®  SecuriTeam™ Home  Ask the Team  Mailing Lists  Advertising Info  Blogs SecuriTeam™ in Your Inbox   E-mail this CVE-2006-6490 to a friend New vulnerability? New tool? Tell us	CVE-2006-6490 Stack Overflow in 3rd Party ActiveX Controls affects Multiple Vendor Products     Credit: The information has been provided by Symantec Security. The original article can be found at: http://www.symantec.com/avcenter/security/Content/2007.02.22.html Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    CVE-2006-6490 Details Check for CVE-2006-6490 Vulnerability Assessment and Management. Automated Pen Testing for 50 to 50,000 nodes beyondsecurity.com/vulnerability-scanner Vulnerable Systems:  * Symantec Automated Support Assistant  * Symantec Norton AntiVirus 2006  * Symantec Norton Internet Security 2006  * Symantec Norton System Works 2006 Immune Systems:  * Symantec 2007 Consumer Products  * Symantec Norton 360  * Symantec Corporate and Enterprise Products Symantec was initially alerted by Next Generation Security Software (NGSS), to stack overflow and unauthorized access vulnerabilities identified in two SupportSoft ActiveX controls, SmartIssue tgctlsi.dll and ScriptRunner tgctlsr.dll, that Symantec signed and shipped with some of Symantec s 2006 consumer products and used by the Symantec Automated Support Assistant support tool Symantec provides onits consumer support site. These SupportSoft ActiveX components did not properly validate external input. This failure could potentially lead to unauthorized access to system resources or the possible execution of malicious code with the privileges of the user s browser, resulting in a potential compromise of the user s system. Any attempt to exploit these issues would require interactive user involvement. An attacker would need to be able to effectively entice a user to visit a malicious web site where their malicious code was hosted or to click on a malicious URL in any attempt to compromise the user s system. While these SupportSoft-developed components should also have been effectively site-locked, which would have further reduced the severity, this capability was found to be improperly implemented in the vulnerable versions. Symantec Response: Symantec worked closely with SupportSoft to ensure updates were quickly made available for the identified controls. SupportSoft has posted a Security Bulletin, http://www.supportsoft.com/support/controls_update.asp, for the controls Symantec uses and controls used in other products on their support site, www.supportsoft.com. CVE Information: CVE-2006-6490  Comments on CVE-2006-6490:  Add new comment:  Subject:  Name/Nick/Email:          Chars Left:	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Copyright © 1998-2010 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®