Symantec, the information security company, has admitted it "could have done a better job" of informing customers of the information security risks they face.
Experts criticised the vendor last week for the way it handled a flaw in one of its own services. An independent mailing list described a buffer overflow problem in the company's Security Check service, which checks systems for vulnerabilities and attacks. An ActiveX control used by the service meant a buffer overflow attack on the "Symantec RuFSI Utility Class" control could crash a user's system and let attackers run software on the machine through the control.
Symantec issued its own advisory on a separate list, which said the vendor had fixed the problem, and that users who henceforth scanned their systems wouldn't be affected. However, commentators pointed out, ActiveX controls are downloaded onto a user's computer. Users who don't re-scan their systems with Security Check and download the new ActiveX control would still have the flawed software.
Many Symantec customers who used the service without downloading the new control could still be at risk, experts said. They said the flaw could affect even those who never used Symantec's service, because the particular control was not limited, as usual, to use only on Symantec's site, and could be downloaded unwittingly by users trusting the security certificate.
Coming to the party
Since then, Symantec has acknowledged that the company didn't do as much as it could have to inform customers about the vulnerability, but said it has taken steps to clean up the issue.
Symantec posted an advisory on its Security Check Web site and home page on Thursday, telling users that they needed to either rescan their systems using the Security Check service, which would fix the problem, or use a free tool Symantec that would remove the vulnerable ActiveX control from their desktops.
Nearly all of Symantec's ActiveX controls have a security feature that prevents the control from being used by any Web sites other than Symantec's. This particular ActiveX component lacked that feature. This has been remedied, the company says.
Regrouping
In a statement sent to ITWeb, the company says it has worked diligently to replace the control. "We are working with users who may have downloaded the exploited ActiveX Control to remove it from their systems. Although Symantec Security Check is available to both PC and Mac users, this issue only affects PCs.
"Upon hearing of the vulnerability we swiftly made efforts to inform users of the vulnerability by posting advisories to both the Symantec Security Response Web site, as well as to Security Focus' BugTraq. Symantec has also created a clean-up tool to remove the ActiveX Control. Users can download the tool from the corresponding knowledge base article on Symantec's customer support Web site. Users visiting the Symantec Security Check Web site will also find a link to the advisory.
"Symantec will also alert consumers of the vulnerability through an advisory delivered via Symantec's e-mail newsletters and customer service mailing lists. This advisory will include a link to the article."
Share
