CVE-2006-3456

Current Description

The Symantec NAVOPTS.DLL ActiveX control (aka Symantec.Norton.AntiVirus.NAVOptions) 12.2.0.13, as used in Norton AntiVirus, Internet Security, and System Works 2005 and 2006, is designed for use only in application-embedded web browsers, which allows remote attackers to "crash the control" via unspecified vectors related to content on a web site, and place Internet Explorer into a "defunct state" in which remote attackers can execute arbitrary code in addition to other Symantec ActiveX controls, regardless of whether they are marked safe for scripting. NOTE: this CVE was inadvertently used for an E-mail Auto-Protect issue, but that issue has been assigned CVE-2007-3771.

Referenced by CVEs:CVE-2007-3771

Basic Data

PublishedMay 11, 2007
Last ModifiedJuly 20, 2017
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeCWE-94
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:M/Au:S/C:C/I:C/A:C
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityMEDIUM
CVSS 2 - AuthenticationSINGLE
CVSS 2 - Confidentiality ImpactCOMPLETE
CVSS 2 - Availability ImpactCOMPLETE
CVSS 2 - Base Score8.5
SeverityHIGH
Exploitability Score6.8
Impact Score10.0
Obtain All Privilegetrue
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

No data provided.

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationSymantecNorton Antivirus2005*******
    2.3ApplicationSymantecNorton Antivirus2006*******
    2.3ApplicationSymantecNorton Internet Security2005*******
    2.3ApplicationSymantecNorton Internet Security2006*******
    2.3ApplicationSymantecNorton System Works2005*******
    2.3ApplicationSymantecNorton System Works2006*******

Vulnerable Software List

VendorProductVersions
Symantec Norton Antivirus 2005, 2006
Symantec Norton Internet Security 2005, 2006
Symantec Norton System Works 2005, 2006

References

NameSourceURLTags
20070509 Symantec Norton Internet Security 2006 COM Object Security ByPass Vulnerabilityhttp://labs.idefense.com/intelligence/vulnerabilities/display.php?id=529IDEFENSEVendor Advisory
35075http://osvdb.org/35075OSVDB
25172http://secunia.com/advisories/25172SECUNIAVendor Advisory
23822http://www.securityfocus.com/bid/23822BID
1018031http://www.securitytracker.com/id?1018031SECTRACK
http://www.symantec.com/avcenter/security/Content/2007.05.09.htmlhttp://www.symantec.com/avcenter/security/Content/2007.05.09.htmlCONFIRMVendor Advisory
ADV-2007-1751http://www.vupen.com/english/advisories/2007/1751VUPENVendor Advisory
symantec-navopts-security-bypass(34200)https://exchange.xforce.ibmcloud.com/vulnerabilities/34200XF