CVE-2006-3456

The Symantec NAVOPTS.DLL ActiveX control (aka Symantec.Norton.AntiVirus.NAVOptions) 12.2.0.13, as used in Norton AntiVirus, Internet Security, and System Works 2005 and 2006, is designed for use only in application-embedded web browsers, which allows remote attackers to "crash the control" via unspecified vectors related to content on a web site, and place Internet Explorer into a "defunct state" in which remote attackers can execute arbitrary code in addition to other Symantec ActiveX controls, regardless of whether they are marked safe for scripting. NOTE: this CVE was inadvertently used for an E-mail Auto-Protect issue, but that issue has been assigned CVE-2007-3771.

Published: May 11, 2007
Updated: Apr 13, 2023
CVE: CVE-2006-3456
Severity: High
Exploit:

CVSS v2:

Severity: High
Score: 8.5
AV:N/AC:M/Au:S/C:C/I:C/A:C

CWEs:

CWE-94

Affected Software
References

Software	From	Fixed in
symantec / norton_system_works	2005	2005.x
symantec / norton_system_works	2006	2006.x
symantec / norton_antivirus	2006	2006.x
symantec / norton_internet_security	2006	2006.x
symantec / norton_antivirus	2005	2005.x
symantec / norton_internet_security	2005	2005.x

Vulnerability Database

289,697

CVE-2006-3456