matousec.com (site map)

Poll

Your favourite antivirus families?

  Comodo (31.39%)

  NOD32 (Eset) (20.75%)

  Kaspersky (17.66%)

  AntiVir (Avira) (17.22%)

  avast! (13.23%)

  Symantec (4.1%)

  AVG (3.73%)

  Dr.Web (3.4%)

more

results

Advisory 2006-08-15.01

Norton DLL faking via 'SuiteOwners' protection bypass

Basic information:


Release date: August 15, 2006

Last update: August 29, 2006

Severity:Critical

Character:Complete system control

Status:Unknown

Testing program: BTP00010P002NF.zip

Description:

Norton protects its own registry keys against actions of other applications. This protection can be bypassed for registry key 'HKLM\SOFTWARE\Symantec\CCPD\SuiteOwners' using API functions RegSaveKey and RegRestoreKey. This registry key is also used to store some important information such us names of libraries, for example 'NISProd.dll'. Using RegSaveKey and RegRestoreKey a malicious application can modify values in 'SuiteOwners' such that Norton loads fake library into its own processes. A malicious code in the fake library can manipulate any Norton component and thus bypass every security protection of Norton.

Vulnerable software:

Events:

References: