Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

                  ESB-2009.0430 -- [Win][Netware][Linux]
         Symantec Reporting Server: Provide Misleading Information
                                4 May 2009


        AusCERT Security Bulletin Summary

Product:              Symantec AntiVirus Corporate Edition 10.1 MR7 and earlier
                      Symantec AntiVirus Corporate Edition 10.2 MR1 and earlier
                      Symantec Client Security 3.1 MR7 and earlier
                      Symantec Endpoint Protection 11.0 MR1 and earlier
Publisher:            Symantec
Operating System:     Windows
                      Linux variants
Impact:               Provide Misleading Information
Access:               Remote/Unauthenticated
CVE Names:            CVE-2009-1432

Original Bulletin:    

- --------------------------BEGIN INCLUDED TEXT--------------------

Symantec Reporting Server Improper URL Handling Exposure


April 28, 2009


Revision History

Risk Impact

Remote Access	        No
Local Access	        Yes
Authentication Required	No
Exploit available	No

The login web page in some versions of Symantec Reporting Server contains a 
URL handling error which could potentially allow an attacker to launch a 
phishing attack.

Affected Products
Product	                                Affected Version       Solution
Symantec AntiVirus Corporate Edition	10.1 MR7 and earlier   Update to 10.1 
                                                               MR8 or later
                                        10.2 MR1 and earlier   Update to 10.2 
                                                               MR2 or later
Symantec Client Security	        3.1 MR7 and earlier    Update to 3.1 
                                                               MR8 or later
Symantec Endpoint Protection	        11.0 MR1 and earlier   Update to 11.0 
                                                               MR2 or later
Unaffected Products
Product	Version
Norton product line	all

Symantec Reporting Server is a component of Symantec AntiVirus Corporate 
Edition (SAV), Symantec Client Security (SCS) and Symantec Endpoint Protection 
Manager (SEPM) that can be used to create reports about Symantec antivirus 
products in an enterprise network.

Symantec was notified that the Reporting Server login screen contained a URL 
handling error which could potentially be used to launch a phishing attack.
The error could allow a successful attacker to display a message of their 
choice on the Reporting Server login screen.

Symantec Response
Symantec engineers confirmed that this exposure exists in the versions of 
Reporting Server indicated in the table above. Updates have been released to 
address the vulnerability. 

The flaw only allows an attacker to display a message of their choice on the 
Reporting Server login screen. The attacker does not gain additional access 
to the Reporting Server program unless the message persuades a trusted user 
to forward their login credentials to the attacker.

To set up an attack, an attacker would either need access to the Reporting 
Server, or to entice a trusted user to click on a specially crafted link to 
the Reporting Server. In a recommended installation, Reporting Server is 
installed on the enterprise intranet, and is not visible from the internet. 
Installing Reporting inside the corporate firewall greatly reduces the 
opportunity for unauthorized access.

Reporting is an optional component of SAV and SCS. This exposure would affect 
SAV or SCS only if the Reporting component has been installed.

Symantec is not aware of any customers impacted by this issue, or of any 
attempts to exploit this issue. However, we recommend that customers update 
Reporting to prevent potential attempts to exploit the vulnerability.


    * Uninstall Reporting Server if it is not being used in SAV or SCS.
    * Access to the Report Server interface should be restricted to trusted 
      users only
    * User accounts for Reporting Server should be different than the users 
      network login account.
    * Always manually type the address of your Reporting Server login screen 
      into your web browser. Do not follow a link to the login screen.
    * Protect your login credentials. Never send your id and password to a 
      third party. 

Applying the Update for Symantec AntiVirus Corporate Edition or Symantec 
Client Security
Reporting is an optional component of Symantec AntiVirus Corporate Edition 
and Symantec Client Security, and it can be updated (migrated) independently 
of the rest of the program. For more information, please see this 
knowledgebase document:

Migrating Reporting Server for Symantec Client Security 3.1 and Symantec 
AntiVirus 10.1

Applying the Update for Symantec Endpoint Protection Manager
Reporting is an integral function of SEPM, and it cannot be updated 
independently. For more information, please see this knowledgebase document:
Best Practice

    * Run under the principle of least privilege where possible.
    * Keep all operating systems and applications updated with the latest 
      vendor patches.
    * Run both a personal firewall and antivirus application with current 
      updates to provide multiple points of detection and protection.
    * Email addresses can easily be spoofed so that a message appears to come 
      from someone you know. If in doubt, contact the sender before opening 
      attachments or following web links. 

Symantec would like to thank Dave Lewis of LiquidMatrix for reporting this 
issue, and coordinating with us on the response.

The Symantec DeepSight analyst team has assigned BID 34668 to this issue. This 
issue is a candidate for inclusion in the Common Vulnerabilities and Exposures 
(CVE) list (http://cve.mitre.org), which standardizes names for security 
problems. The CVE initiative has assigned CVE-2009-1432 to this issue.

Symantec takes the security and proper functionality of our products very 
seriously. As founding members of the Organization for Internet Safety 
(OISafety), Symantec supports and follows the principles of responsible 
disclosure. Symantec also subscribes to the vulnerability disclosure 
guidelines outlined by the National Infrastructure Advisory Council (NIAC).
Please contact secure@symantec.com if you feel you have discovered a security 
issue in a Symantec product. A Symantec Product Security team member will 
contact you regarding your submission. Symantec strongly recommends using 
encrypted email for reporting vulnerability information to secure@symantec.com. 
The Symantec Product Security PGP key can be found at the end of this message.
Symantec has developed a Product Vulnerability Response document outlining 
the process we follow in addressing suspected vulnerabilities in our products. 
This document is available below.

Symantec Vulnerability Response Policy:

Symantec Product Vulnerability Management PGP Key:

Copyright (c)  by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it 
is not edited in any way unless authorized by Symantec Security Response. 
Reprinting the whole or part of this alert in any medium other than 
electronically requires permission from secure@symantec.com

The information in the advisory is believed to be accurate at the time of 
publishing based on currently available information. Use of the information 
constitutes acceptance for use in an AS IS condition. There are no warranties 
with regard to this information. Neither the author nor the publisher accepts 
any liability for any direct, indirect, or consequential loss or damage 
arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and 
secure@symantec.com are registered trademarks of Symantec Corp. and/or 
affiliated companies in the United States and other countries. All other 
registered and unregistered trademarks represented in this document are the 
sole property of their respective companies/owners.

Last modified on: April 28, 2009

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.

Comment: http://www.auscert.org.au/render.html?it=1967