Install Norton Security for Mac does not verify SSL certificates

Overview

Install Norton Security for Mac, prior to version 7.6, does not validate SSL certificates.

Description

CWE-295**: Improper Certificate Validation -**CVE-2017-15528

The Install Norton Security for Mac installer, versions prior to 7.6, fails to properly validate SSL certificates provided by HTTPS connections, which can allow an attacker to obtain a Man-in-the-Middle position.

---

Impact

An attacker with a Man-in-the-Middle position can spoof content retrieved using HTTPS.

---

Solution

Use Updated Installer

Symantec has released an updated installer, version 7.6, to address the vulnerability. Please see more information at Symantec’s advisory.

---

Vendor Information

681983

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Symantec Unknown

Notified: October 09, 2017 Updated: October 09, 2017

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

CVSS Metrics

Group	Score	Vector
Base	5.1	AV:N/AC:H/Au:N/C:P/I:P/A:P
Temporal	5.1	E:ND/RL:ND/RC:ND
Environmental	1.3	CDP:ND/TD:L/CR:ND/IR:ND/AR:ND

References

• https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20171121_00
• <https://us.norton.com/downloads&gt;

Acknowledgements

Thanks to David for reporting this vulnerability.

This document was written by Trent Novelly.

Other Information

CVE IDs:	CVE-2017-15528
Date Public:	2017-11-21 Date First Published: