Security experts are sharply criticizing Symantec Inc. for the way it handled a flaw in one of its security services earlier this week.
Independent security researcher Cesar Cerrudo posted an advisory late Sunday night to the security mailing list Full Disclosure that described a buffer overflow problem in Symantec"s free online Security Check service, which is used to check systems for common security vulnerabilities and attacks. The flaw resided in an ActiveX control used by Security Check to examine a computer system. A buffer overflow attack on the "Symantec RuFSI Utility Class" control could crash a user"s system and let an attacker run software of his or her choice.
Cerrudo didn"t directly inform Symantec of the vulnerability, but the security vendor did learn about it from Currudo"s posting to the mailing list. Symantec issued its own advisory Monday evening to the security mailing list Bugtraq that said the vendor has fixed the problem and that users who now scan their systems won"t be affected by the flaw.