Vulnerability Note VU#681983
Install Norton Security for Mac does not verify SSL certificates
Original Release date: 21 Nov 2017 | Last revised: 21 Nov 2017

Overview
Install Norton Security for Mac, prior to version 7.6, does not validate SSL certificates.

Description
CWE-295: Improper Certificate Validation – CVE-2017-15528
The Install Norton Security for Mac installer, versions prior to 7.6, fails to properly validate SSL certificates provided by HTTPS connections, which can allow an attacker to obtain a Man-in-the-Middle position.

Impact
An attacker with a Man-in-the-Middle position can spoof content retrieved using HTTPS.

Solution
Use Updated Installer
Symantec has released an updated installer, version 7.6, to address the vulnerability. Please see more information at Symantec’s advisory.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate UpdatedSymantecUnknown09 Oct 201709 Oct 2017If you are a vendor and your product is affected, let
us know.

CVSS Metrics (Learn More)

Group
Score
Vector

Base
5.1
AV:N/AC:H/Au:N/C:P/I:P/A:P

Temporal
5.1
E:ND/RL:ND/RC:ND

Environmental
1.3
CDP:ND/TD:L/CR:ND/IR:ND/AR:ND

References

https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisorypvid=security_advisoryyear=&suid=20171121_00
https://us.norton.com/downloads

Credit

Thanks to David for reporting this vulnerability.
This document was written by Trent Novelly.

Other Information

CVE IDs:
CVE-2017-15528

Date Public:
21 Nov 2017

Date First Published:
21 Nov 2017

Date Last Updated:
21 Nov 2017

Document Revision:
9

FeedbackIf you have feedback, comments, or additional information about this vulnerability, please send us email.

Leave a Reply