OK, so I’m a little annoyed with Symantec. I submitted this vulnerability to them in January of 2008 and they released it last night without chatting with me regarding the advisory. Every vendor I have dealt with up to this point has at least extended that courtesy.
They get it wrong,
“The flaw only allows an attacker to display a message of their choice on the Reporting Server login screen. The attacker does not gain additional access to the Reporting Server program unless the message persuades a trusted user to forward their login credentials to the attacker.”
No. More can be accomplished than just passing text to the user interface. There is more to it. This would process code if you passed it correctly. If you have a look at the screen cap above (click to expand) check a look at the URL and consider your options.
This made me choke on my morning coffee. They released this last night.
To set up an attack, an attacker would either need access to the Reporting Server, or to entice a trusted user to click on a specially crafted link to the Reporting Server.
Right. That’s the only way. (/sarcasm)
Where I get more annoyed is that they list their affected products as only being Symantec Antivirus Corporate Edition, Symantec Client Security and Symantec Endpoint Protection. From my discussions with Symantec (and I have the emails) they indicated that any product in their line that uses this reporting library is affected. After delays, it’s now finally fixed. Although the fix cannot be delivered via LiveUpdate.
Date Submitted: January 17, 2008
Vendor Response: January 18, 2008
Date Fixed: June 2008 date missed by Symantec
Date Fixed: November 2008 date missed by Symantec
Date Fix Released: April 28, 2009
Why did a vulnerability rated as “low” take that long to fix you ask? Damn good question.
This was an annoying experience dealing with Symantec and it’s inability to meet deadlines that it set forth. Being responsible and working with vendors sometimes just isn’t worth the hassle. I think I’ll just submit future finds to ZDI.
Symantec Advisory
Secunia Advisory
No more free bugs!
Working on the OSVDB entry now =)