In a world where digital gremlins seem to lurk in almost every shadow, many of us feel safer using an internet security package. But for those using many Norton security products who haven't updated recently, that feeling is a false sense of security.

That's because a nasty bug residing in two ActiveX controls used in Norton's PC software could allow an attacker to remotely execute code on the user's machine. Symantec is advising users to immediately update affected versions, which include the 2006 versions of Norton AntiVirus, Norton Internet Security, and Norton System Works and the 2005 version of Norton Internet Security, Anti Spyware Edition.

"This error could allow an attacker to crash Internet Explorer, or possibly run arbitrary code with the rights of the logged in user," Symantec warned. The attacker would first have to lure a vulnerable machine to a booby-trapped website, the advisory added.

Secunia rates the flaw "highly critical," the second-highest category in its five-tier rating system.

The bug is the result of an "input validation" error, which fails to analyze incoming data for malicious commands before executing them. Norton is encouraging all users to run the program's Live Update feature immediately. ®

Related stories

• Symantec launches new SMB partner programme (13 September 2007)
• Symantec releases new NetBackup (14 August 2007)
• Strange spoofing technique evades anti-phishing filters (25 May 2007)
• Norton's firewall not fiery enough (21 May 2007)
• Symantec coughs to security hole in its AV software (26 May 2006)
• Symantec fixes 'rootkit' bug in Systemworks (12 January 2006)
• Critical Symantec bug hits 40 products (22 December 2005)
• Symantec anti-virus flaw hits 30 products (10 February 2005)