Security Web Digest: Security Flaw In Symantec Security Tool

Users of Symantec Security Check should revisit site to eliminate the flaw New Homeland Security airport screening technology Users don't get privacy policies according to study Computer Associates and SteelCloud


Symantec recently revealed that recent versions of their Symantec Security Check tool contain a buffer overflow vulnerability. The flaw lies in an ActiveX control installed by the tool. If a user with the affected control user visits a malicious web site, it could invoke the exploit, potentially executing arbitrary code. Symantec has replaced the control with a fixed one, so recent visitors should return and run another system scan, which will replace the installed control on their systems with the fixed one. Ambitious users can also remove the control manually by rebooting and, at the command prompt, removing the file "%SystemRoot%\Downloaded Program Files\rufsi.dll". You must not visit the Symantec Security Check site between the reboot and removing the control.

Homeland Security

A scanner the government is testing for Airport screening reveals much more than meets the eye to be comfortable for most passengers. Susan Hallowell, director of the Transportation Security Administrations security laboratory, sacrificed a large measure of her own modesty Wednesday to demonstrate the problem. She stepped into a metal booth that bounced X-rays off her skin to produce a black-and-white image where she showed up naked -- except for the gun and bomb she had hidden under her outfit. David Sobel, general counsel for the Electronic Privacy Information Center in Washington, thinks most people will object to the technology. Others proclaimed it "a whole lot nicer than having someone pat me down," according to Randal Null, the agencys chief technology officer.


Privacy policies that explain a companys Web surveillance habits have done little to dispel confusion among Internet users about how theyre tracked online, according to a report released this week. The dense, legalistic documents that many commercial Web sites post to explain their data collection habits are more likely to provide false reassurance than clarity to Web surfers, the University of Pennsylvanias Annenberg Public Policy Center found. More than half of the 1,200 adults surveyed for the report wrongly believed that the mere presence of a privacy policy meant that the Web site wouldnt sell or trade personal information about them.

A partnership between Computer Associates (CA) and SteelCloud will deliver CAs eTrust family of security technology in the form of rack-mounted appliances that are "hardened" to reduce their vulnerability to attack. SteelCloud will soon offer a family of enterprise security appliances using eTrust antivirus and intrusion detection technology, the company said this week. The SteelCloud Anti-Virus Gateway (AVG) 3000 will run CAs eTrust Antivirus software and will sell for just under $20,000. The partnership with Computer Associates is SteelClouds first attempt at packaging a hardware appliance under its own name and Computer Associates first try at a security appliance.

The Information Technology Association of America (ITAA)announced this week that it is exploring the possibility of creating an industry coalition to combat the problem of Internet fraud. The idea for the coalition was brought about, in part, by last weeks online scam targeting Best Buy customers, according to the organization. "The online fraud problem has gotten a lot of notoriety lately," said ITAA President Harris Miller. If industry cant put together some effective responses, Miller said, the government will step in with what he described as unnecessary, inappropriate regulation that could hamper the ability of Internet commerce to grow.