COMMAND

    Norton Utilities 2.0

SYSTEMS AFFECTED

    Win '95

PROBLEM

    This  bug  can  leave   personal  computer  users  vulnerable   to
    outside attack when users of  Norton Utilities 2.0 for Windows  95
    get  on  the  World  Wide  Web  through Microsoft Corp.'s Internet
    Explorer.

    The security flaw allows  the Symantec program to  accept commands
    from the out side. In  theory, an outsider could alter  or destroy
    data or gather information from the computer.

    Windows Sources  said Norton  Utilities exposes  a weakness  in in
    Microsoft's  Active-X   technology  used   in  its   browser.  The
    technology  lets  PC  users  download  small software applications
    from the Web onto their computers.

    The  problem  lies  in  TUNEOCX.OCX,  a  core  component of Norton
    Utilities' System Genie.   When installed, this  OCX is marked  as
    scriptable, which  allows ActiveX-aware  Web page  scripts to make
    use  of  this  ActiveX  control.   This  control  supports a "run"
    option that allows  the script to  execute any local  application,
    such as the FORMAT or FTP (net-based file transfer) commands.

    Windows  Sources  analysis  of  Norton  Utilities  found that this
    component essentially  granted unauthorized  access to  any system
    resource that is normally accessible from the desktop itself.   As
    a  result,  any  programmer  with  access  to  one  of Microsoft's
    scripting tools (VBScript, MS  C++, Visual C++, Visual  J++, etc.)
    can  leverage  this  control  to  perform  any  task on the target
    system -- unbeknownst to the system's user.

    For  example,  a  Web  page  hacker  could build a page that, when
    viewed by  Internet Explorer,  runs a  few lines  of VBScript code
    that wipes out a hard  drive, installs a Trojan horse,  or invokes
    file  transfer  and  directory  utilities to retrieve confidential
    information. Worse yet, all these tasks could be performed in  the
    background  without  the  user  ever  knowing  what's happening to
    their system.

    Source text (not all this):

    http://www.reference.com/cgi-bin/pn/go?choice=message&table=04_1997&mid=1323625&hilit=FLAW+SECURITY

SOLUTION

    Verisign's  Authenticode,  billed  by  Microsoft  as  a protection
    mechanism  built  into  Internet  Explorer  that  allows  users to
    intervene  before  potentially  dangerous  code  is downloaded, is
    ineffective  against  this  sort  of  invasion.   That's   because
    Authenticode watches for software  that's about to be  downloaded,
    but  not  VBScripts  that  activate  software  components that are
    already installed on the system (e.g.:  TUNEOCX.OCX).

    Symantec  Corp.  made  a  fix  for  a security flaw in its popular
    Norton Utilities software.  They plan to put it on the Web.

    Symantec said users  of Norton Utilities  2.0 for Windows  will be
    able  to  get  the  flaw  fixed  by  clicking on the "live update"
    button in  the program.  The program  will search  the Web for the
    patch, download and install it.

    While the flaw is known  to occur only in combination  with Norton
    Utilities 2. 0 for Windows 95 and Internet Explorer, "there  could
    be other combinations  of application and  Active-X-based browsers
    that are  equally vulnerable,"  said Windows  Sources.  Microsoft,
    however, said the Active-X technology is safe.