TechWeb

Symantec: We Should Have Done More

Jun 27, 2003 (12:06 PM EDT)

Read the Original Article at http://www.informationweek.com/news/showArticle.jhtml?articleID=10810465


Symantec Corp. should have been more aggressive in informing customers of a potential security problem, a top company executive acknowledged Friday. Customers who used the company's online Security Check service before June 24 may have inadvertently opened a security hole on their computers.

Security experts earlier this week criticized the security vendor for not doing enough to inform its home and small-business users that their systems may be at risk (see Symantec Security Flaw Still A Threat).

The problem involves a buffer overflow problem in the Security Check service, which is used to check systems for common security vulnerabilities and attacks. The flaw was in an ActiveX control used by Security Check to examine a computer system. A buffer overflow attack on the "Symantec RuFSI Utility Class" control could crash a user's system and let an attacker run software of his or her choice.

Steve Cullen, senior VP of consumer and client product delivery for Symantec, said Friday that the company didn't do as much as it could have to inform customers about the vulnerability. "We probably hadn't done enough proactive communications, and we've taken steps to clean up that issue," he said.

Symantec posted an advisory on its Security Check Web site and on its home page Thursday that lists software vulnerabilities. It also tells users that they need to either rescan their systems using the Security Check service, which will fix the problem, or use a free tool Symantec has provided that removes the vulnerable ActiveX control from their desktops, Cullen says.

Nearly all of Symantec's ActiveX controls have a security feature that prevents the control from being used by any Web sites other than Symantec's, he says. But this particular ActiveX component lacked that security feature. "We've since gone through all of our ActiveX controls, and they all have that security feature," he says.

That feature is known as SiteLock and is designed to make sure that controls can only be used by Web domains that are trusted by the developer of the ActiveX control.

In an effort to get word out about the vulnerability to the millions of Symantec customers who may now have the faulty software on their systems, Cullen says the company will include information about the vulnerability and its cleanup process in an upcoming Symantec customer E-mail Newsletter. "We're trying to communicate the message to as many people as possible," he says.

Security experts who criticized Symantec's handling of the problem were justified, Cullen says. "I think it's fine for people to call us on that," he says. "And it's important that we remain objective about that. We're being as open and as proactive about this as possible."