Symantec kills 'broken' NAV script blocker

However, security experts disagree, with one researcher claiming that script blocking was quietly removed because it didn't work.

On Monday, Symantec's senior director of development, Vincent Weafer, told ZDNet Australia  that script blocking, which was a prominent selling feature in Norton Anti-Virus 2005, was dropped in Norton Antivirus 2006 because security improvements by Microsoft make the feature unnecessary.

"Script blocking was developed to detect and protect against VBS script worms that propagated via MS Outlook," said Weafer, who explained that this type of threat -- such as the 'I Love You' virus -- was prevalent around five years ago.

"These threats worked by exploiting weaknesses in the VBS script interpreter which have since been addressed by Microsoft ... since the threats have diminished and there is already OS level protection we didn't need this additional layer of security," said Weafer.

However, Weafer's comments are dismissed by security researcher Dan Milisic, who in late 2004 revealed that the script blocker in Norton Anti-Virus 2005 was flawed and could easily be bypassed by an attacker. Rival anti-virus firms claim that although Microsoft has improved the way Windows and Office handle VBS scripts, the issue still exists.

Allan Bell, McAfee's APAC marketing director, told ZDNet Australia that Microsoft had addressed the problems with VBS scripts but not solved them.

"You can set Outlook so if you double click on the script, instead of it just running -- like it did with 'I Love You' -- it will say 'do you want to execute this script' ... the average user will just click yes. So in other words it provides nothing at all ... it is not exactly very secure," said Bell.

Adam Biviano, premium services manager at Trend Micro agreed: "Windows has a security shell controlling what scripts can do -- but at the end of the day if you click yes on the box, [the script] is going to be able to overwrite files with its own content or modify content on a computer file system."

Deny, deny, deny... then fudge
When ZDNet Australia  contacted Symantec about Milisic's discovery in late 2004, the company initially denied its script blocker was flawed. A few days later -- after seeing a sample of Milisic's proof of concept script -- it admitted that there was a problem but said it was limited to users logged in with administrator rights.

Security experts were quick to point out that the majority of NAV users are consumers and will most likely have administrator rights, which would mean that most NAV customers were left vulnerable to attack.

Milisic told ZDNet Australia  he suspected Symantec was unable to fix the flawed script blocker and decided to simply deleted the technology from NAV and removed all mention of script blocking from Symantec's knowledge base.

"My original problem with [NAV] script blocking was that it didn't (or couldn't) work as advertised. Removing the feature would seem to verify this assertion.... All official Symantec marketing material doesn't have any mention of "Script Blocking" in NAV 2006 so the issue has been addressed but the way they've gone about it is just stupefying," said Milisic.