CVE-2010-3497 in Norton AntiVirus
Summary
by MITRE
Symantec Norton AntiVirus 2011 does not properly interact with the processing of hcp:// URLs by the Microsoft Help and Support Center, which makes it easier for remote attackers to execute arbitrary code via malware that is correctly detected by this product, but with a detection approach that occurs too late to stop the code execution. NOTE: the researcher indicates that a vendor response was received, stating that this issue "falls into the work of our Firewall and not our AV (per our methodology of layers of defense)."
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 01/22/2018
The vulnerability identified as CVE-2010-3497 represents a critical design flaw in Symantec Norton AntiVirus 2011's security architecture that stems from improper integration with Microsoft's Help and Support Center processing mechanisms. This issue specifically manifests when handling hcp:// URLs which are used by Microsoft's help system to access local help files and documentation. The flaw occurs because Norton AntiVirus 2011 fails to adequately intercept or block malicious hcp:// URL requests that could contain executable code, allowing attackers to bypass the antivirus protection during the initial detection phase. This vulnerability falls under the CWE-843 category of "Access of Resource with Inappropriate Access Control" and demonstrates a fundamental weakness in the layered defense model that Symantec had implemented.
The technical implementation of this vulnerability exploits the timing gap between when malicious code is detected by Norton's antivirus engine and when the actual execution of that code is prevented. When malware is correctly identified by Norton's signature-based detection mechanisms, the antivirus software fails to block the execution path that occurs through the Microsoft Help and Support Center's hcp:// URL handler. This creates a window of opportunity where the malicious code can execute successfully before Norton's protection can effectively intervene. The root cause lies in the improper coordination between Norton's antivirus engine and Windows' help system components, specifically how the hcp:// protocol is processed within the Windows operating system environment.
The operational impact of this vulnerability is significant as it allows remote attackers to bypass antivirus protection mechanisms that should have prevented code execution. Attackers can craft malware that appears legitimate to Norton's detection systems but exploits the timing gap to execute malicious code through the hcp:// URL processing pathway. This vulnerability directly contradicts the fundamental security principle of layered defense where each security component should provide independent protection. The issue creates a false sense of security for users who believe their Norton AntiVirus 2011 protection is sufficient, while simultaneously leaving them vulnerable to code execution attacks that bypass this protection. According to the ATT&CK framework, this vulnerability maps to techniques involving process injection and execution through trusted system components.
The vendor response to this vulnerability is particularly concerning as it reflects a flawed security architecture approach that shifts responsibility away from the antivirus product to the firewall component. This response indicates that Symantec's methodology of defense layers treats the antivirus as secondary to other security mechanisms, which creates a dangerous assumption that other security components will catch all threats. This approach violates the principle of defense in depth and demonstrates how security products should provide comprehensive protection rather than relying on other components to address gaps in their own functionality. The vendor's statement that this issue "falls into the work of our Firewall and not our AV" suggests a fundamental misunderstanding of how security products should interoperate and protect against threats. The vulnerability essentially creates a security gap that allows attackers to exploit the interaction between different Microsoft system components while remaining undetected by Norton's antivirus protection, making it a critical issue that requires immediate attention and remediation.