Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2006-3456

Overview

Vulnerability Score 8.5 8.5
CVE Id CVE-2006-3456
Last Modified 05 Nov 2012 10:15:15
Published 11 May 2007 06:19:00
Confidentiality Impact COMPLETE COMPLETE
Integrity Impact COMPLETE COMPLETE
Availability Impact COMPLETE COMPLETE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication SINGLE_INSTANCE

CVE-2006-3456

Summary

The Symantec NAVOPTS.DLL ActiveX control (aka Symantec.Norton.AntiVirus.NAVOptions) 12.2.0.13, as used in Norton AntiVirus, Internet Security, and System Works 2005 and 2006, is designed for use only in application-embedded web browsers, which allows remote attackers to "crash the control" via unspecified vectors related to content on a web site, and place Internet Explorer into a "defunct state" in which remote attackers can execute arbitrary code in addition to other Symantec ActiveX controls, regardless of whether they are marked safe for scripting. NOTE: this CVE was inadvertently used for an E-mail Auto-Protect issue, but that issue has been assigned CVE-2007-3771.

Vulnerable Systems

Application

  • Symantec Norton Antivirus 2005

  • Symantec Norton Antivirus 2006

  • Symantec Norton Internet Security 2005

  • Symantec Norton Internet Security 2006

  • Symantec Norton System Works 2005

  • Symantec Norton System Works 2006


References

XF - symantec-navopts-security-bypass(34200)

VUPEN - ADV-2007-1751

CONFIRM - http://www.symantec.com/avcenter/security/Content/2007.05.09.html

SECTRACK - 1018031

BID - 23822

SECUNIA - 25172

IDEFENSE - 20070509 Symantec Norton Internet Security 2006 COM Object Security ByPass Vulnerability

OSVDB - 35075


Last Updated: 27 May 2016 10:56:40